Re: Vulnerability Report: Logical Error in 6LoWPAN Multicast Context Address Compression

[Andrew Lunn <andrew@lunn.ch>]

On Tue, May 05, 2026 at 05:18:34PM +0800, Quan Sun wrote:
> ## 1. Summary
> A logical vulnerability exists in the 6LoWPAN IPHC (IP Header Compression)
> subsystem of the Linux kernel, specifically within the
> `lowpan_iphc_mcast_ctx_addr_compress` function in `net/6lowpan/iphc.c`.
> 
> The function uses incorrect memory offsets during the `memcpy` operations
> intended to compress an IPv6 multicast address. This mismatch in offsets
> results in an incorrectly formed compressed address being transmitted over
> the network, which is incompatible with the corresponding decompression
> logic. Consequently, context-based multicast address compression in 6LoWPAN
> is broken and fails to operate as defined by the protocol.
> 
> ## 2. Vulnerability Details
> 
> According to 6LoWPAN address compression standards (and aligning with the
> decompression function `lowpan_uncompress_multicast_ctx_daddr`), a
> context-based compressed multicast address should be represented by exactly
> 6 bytes:
> *   **Bytes 0-1:** Derived from `s6_addr[1]` and `s6_addr[2]` (Flags, Scope,
> and Reserved bits).
> *   **Bytes 2-5:** Derived from `s6_addr[12]` to `s6_addr[15]` (The 4-byte
> Group ID).
> 
> However, in the compression function `lowpan_iphc_mcast_ctx_addr_compress`,
> the offsets provided to the `memcpy` calls are flawed:
> 
> ```c
> static u8 lowpan_iphc_mcast_ctx_addr_compress(u8 **hc_ptr,
> 					      const struct lowpan_iphc_ctx *ctx,
> 					      const struct in6_addr *ipaddr)
> {
> 	u8 data[6];
> 
> 	/* flags/scope, reserved (RIID) */
> 	memcpy(data, &ipaddr->s6_addr[1], 2);
> 	/* group ID */
> 	memcpy(&data[1], &ipaddr->s6_addr[11], 4);
> 	lowpan_push_hc_data(hc_ptr, data, 6);
> 
> 	return LOWPAN_IPHC_DAM_00;
> }
> ```
> 
> ### Analysis of the Error:
> 1.  **Incorrect Destination Offset:** The second `memcpy` writes to
> `&data[1]` instead of `&data[2]`. This overwrites the byte previously copied
> from `s6_addr[2]` into `data[1]`.
> 2.  **Incorrect Source Offset:** The source address is specified as
> `&ipaddr->s6_addr[11]` instead of `&ipaddr->s6_addr[12]`. This means it
> begins reading from the last byte of the network prefix rather than the
> start of the 4-byte Group ID.
> 
> Because the compression formatting does not match the expected structure
> required by the decompression function, multicast packets utilizing
> context-based compression will be corrupted upon transmission.
> 
> ## 3. Impact
> This vulnerability breaks the Context-Based Multicast Address Compression
> feature (`LOWPAN_IPHC_DAM_00` when `M` and `DAC` bits are set) in 6LoWPAN
> networks. Nodes receiving these packets will incorrectly decompress the
> destination multicast address, leading to dropped packets and communication
> failures within the multicast group.
> 
> ## 4. Suggested Fix
> The fix requires adjusting both the destination and source offsets in the
> second `memcpy` call to correctly place the 4-byte Group ID into the
> compressed `data` buffer.
> 
> ### Proposed Patch:
> 
> ```diff
> --- a/net/6lowpan/iphc.c
> +++ b/net/6lowpan/iphc.c
> @@ -1084,9 +1084,9 @@ static u8 lowpan_iphc_mcast_ctx_addr_compress(u8
> **hc_ptr,
>  	u8 data[6];
> 
>  	/* flags/scope, reserved (RIID) */
>  	memcpy(data, &ipaddr->s6_addr[1], 2);
>  	/* group ID */
> -	memcpy(&data[1], &ipaddr->s6_addr[11], 4);
> +	memcpy(&data[2], &ipaddr->s6_addr[12], 4);
>  	lowpan_push_hc_data(hc_ptr, data, 6);
> 
>  	return LOWPAN_IPHC_DAM_00;
>  }

Since you have a fix, why not just submit a proper patch in the usual
way?

https://www.kernel.org/doc/html/latest/process/maintainer-netdev.html
https://docs.kernel.org/process/submitting-patches.html

    Andrew

---
pw-bot: cr