Vulnerability Report: Logical Error in 6LoWPAN Multicast Context Address Compression

[Quan Sun <2022090917019@std.uestc.edu.cn>]

## 1. Summary
A logical vulnerability exists in the 6LoWPAN IPHC (IP Header 
Compression) subsystem of the Linux kernel, specifically within the 
`lowpan_iphc_mcast_ctx_addr_compress` function in `net/6lowpan/iphc.c`.

The function uses incorrect memory offsets during the `memcpy` 
operations intended to compress an IPv6 multicast address. This mismatch 
in offsets results in an incorrectly formed compressed address being 
transmitted over the network, which is incompatible with the 
corresponding decompression logic. Consequently, context-based multicast 
address compression in 6LoWPAN is broken and fails to operate as defined 
by the protocol.

## 2. Vulnerability Details

According to 6LoWPAN address compression standards (and aligning with 
the decompression function `lowpan_uncompress_multicast_ctx_daddr`), a 
context-based compressed multicast address should be represented by 
exactly 6 bytes:
*   **Bytes 0-1:** Derived from `s6_addr[1]` and `s6_addr[2]` (Flags, 
Scope, and Reserved bits).
*   **Bytes 2-5:** Derived from `s6_addr[12]` to `s6_addr[15]` (The 
4-byte Group ID).

However, in the compression function 
`lowpan_iphc_mcast_ctx_addr_compress`, the offsets provided to the 
`memcpy` calls are flawed:

```c
static u8 lowpan_iphc_mcast_ctx_addr_compress(u8 **hc_ptr,
					      const struct lowpan_iphc_ctx *ctx,
					      const struct in6_addr *ipaddr)
{
	u8 data[6];

	/* flags/scope, reserved (RIID) */
	memcpy(data, &ipaddr->s6_addr[1], 2);
	/* group ID */
	memcpy(&data[1], &ipaddr->s6_addr[11], 4);
	lowpan_push_hc_data(hc_ptr, data, 6);

	return LOWPAN_IPHC_DAM_00;
}
```

### Analysis of the Error:
1.  **Incorrect Destination Offset:** The second `memcpy` writes to 
`&data[1]` instead of `&data[2]`. This overwrites the byte previously 
copied from `s6_addr[2]` into `data[1]`.
2.  **Incorrect Source Offset:** The source address is specified as 
`&ipaddr->s6_addr[11]` instead of `&ipaddr->s6_addr[12]`. This means it 
begins reading from the last byte of the network prefix rather than the 
start of the 4-byte Group ID.

Because the compression formatting does not match the expected structure 
required by the decompression function, multicast packets utilizing 
context-based compression will be corrupted upon transmission.

## 3. Impact
This vulnerability breaks the Context-Based Multicast Address 
Compression feature (`LOWPAN_IPHC_DAM_00` when `M` and `DAC` bits are 
set) in 6LoWPAN networks. Nodes receiving these packets will incorrectly 
decompress the destination multicast address, leading to dropped packets 
and communication failures within the multicast group.

## 4. Suggested Fix
The fix requires adjusting both the destination and source offsets in 
the second `memcpy` call to correctly place the 4-byte Group ID into the 
compressed `data` buffer.

### Proposed Patch:

```diff
--- a/net/6lowpan/iphc.c
+++ b/net/6lowpan/iphc.c
@@ -1084,9 +1084,9 @@ static u8 lowpan_iphc_mcast_ctx_addr_compress(u8 
**hc_ptr,
  	u8 data[6];

  	/* flags/scope, reserved (RIID) */
  	memcpy(data, &ipaddr->s6_addr[1], 2);
  	/* group ID */
-	memcpy(&data[1], &ipaddr->s6_addr[11], 4);
+	memcpy(&data[2], &ipaddr->s6_addr[12], 4);
  	lowpan_push_hc_data(hc_ptr, data, 6);

  	return LOWPAN_IPHC_DAM_00;
  }
```