* Vulnerability Report: Logical Error in 6LoWPAN Multicast Context Address Compression
@ 2026-05-05 9:18 Quan Sun
2026-05-05 13:01 ` Andrew Lunn
0 siblings, 1 reply; 2+ messages in thread
From: Quan Sun @ 2026-05-05 9:18 UTC (permalink / raw)
To: linux-wpan, netdev; +Cc: alex.aring, davem, edumazet
## 1. Summary
A logical vulnerability exists in the 6LoWPAN IPHC (IP Header
Compression) subsystem of the Linux kernel, specifically within the
`lowpan_iphc_mcast_ctx_addr_compress` function in `net/6lowpan/iphc.c`.
The function uses incorrect memory offsets during the `memcpy`
operations intended to compress an IPv6 multicast address. This mismatch
in offsets results in an incorrectly formed compressed address being
transmitted over the network, which is incompatible with the
corresponding decompression logic. Consequently, context-based multicast
address compression in 6LoWPAN is broken and fails to operate as defined
by the protocol.
## 2. Vulnerability Details
According to 6LoWPAN address compression standards (and aligning with
the decompression function `lowpan_uncompress_multicast_ctx_daddr`), a
context-based compressed multicast address should be represented by
exactly 6 bytes:
* **Bytes 0-1:** Derived from `s6_addr[1]` and `s6_addr[2]` (Flags,
Scope, and Reserved bits).
* **Bytes 2-5:** Derived from `s6_addr[12]` to `s6_addr[15]` (The
4-byte Group ID).
However, in the compression function
`lowpan_iphc_mcast_ctx_addr_compress`, the offsets provided to the
`memcpy` calls are flawed:
```c
static u8 lowpan_iphc_mcast_ctx_addr_compress(u8 **hc_ptr,
const struct lowpan_iphc_ctx *ctx,
const struct in6_addr *ipaddr)
{
u8 data[6];
/* flags/scope, reserved (RIID) */
memcpy(data, &ipaddr->s6_addr[1], 2);
/* group ID */
memcpy(&data[1], &ipaddr->s6_addr[11], 4);
lowpan_push_hc_data(hc_ptr, data, 6);
return LOWPAN_IPHC_DAM_00;
}
```
### Analysis of the Error:
1. **Incorrect Destination Offset:** The second `memcpy` writes to
`&data[1]` instead of `&data[2]`. This overwrites the byte previously
copied from `s6_addr[2]` into `data[1]`.
2. **Incorrect Source Offset:** The source address is specified as
`&ipaddr->s6_addr[11]` instead of `&ipaddr->s6_addr[12]`. This means it
begins reading from the last byte of the network prefix rather than the
start of the 4-byte Group ID.
Because the compression formatting does not match the expected structure
required by the decompression function, multicast packets utilizing
context-based compression will be corrupted upon transmission.
## 3. Impact
This vulnerability breaks the Context-Based Multicast Address
Compression feature (`LOWPAN_IPHC_DAM_00` when `M` and `DAC` bits are
set) in 6LoWPAN networks. Nodes receiving these packets will incorrectly
decompress the destination multicast address, leading to dropped packets
and communication failures within the multicast group.
## 4. Suggested Fix
The fix requires adjusting both the destination and source offsets in
the second `memcpy` call to correctly place the 4-byte Group ID into the
compressed `data` buffer.
### Proposed Patch:
```diff
--- a/net/6lowpan/iphc.c
+++ b/net/6lowpan/iphc.c
@@ -1084,9 +1084,9 @@ static u8 lowpan_iphc_mcast_ctx_addr_compress(u8
**hc_ptr,
u8 data[6];
/* flags/scope, reserved (RIID) */
memcpy(data, &ipaddr->s6_addr[1], 2);
/* group ID */
- memcpy(&data[1], &ipaddr->s6_addr[11], 4);
+ memcpy(&data[2], &ipaddr->s6_addr[12], 4);
lowpan_push_hc_data(hc_ptr, data, 6);
return LOWPAN_IPHC_DAM_00;
}
```
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Vulnerability Report: Logical Error in 6LoWPAN Multicast Context Address Compression
2026-05-05 9:18 Vulnerability Report: Logical Error in 6LoWPAN Multicast Context Address Compression Quan Sun
@ 2026-05-05 13:01 ` Andrew Lunn
0 siblings, 0 replies; 2+ messages in thread
From: Andrew Lunn @ 2026-05-05 13:01 UTC (permalink / raw)
To: Quan Sun; +Cc: linux-wpan, netdev, alex.aring, davem, edumazet
On Tue, May 05, 2026 at 05:18:34PM +0800, Quan Sun wrote:
> ## 1. Summary
> A logical vulnerability exists in the 6LoWPAN IPHC (IP Header Compression)
> subsystem of the Linux kernel, specifically within the
> `lowpan_iphc_mcast_ctx_addr_compress` function in `net/6lowpan/iphc.c`.
>
> The function uses incorrect memory offsets during the `memcpy` operations
> intended to compress an IPv6 multicast address. This mismatch in offsets
> results in an incorrectly formed compressed address being transmitted over
> the network, which is incompatible with the corresponding decompression
> logic. Consequently, context-based multicast address compression in 6LoWPAN
> is broken and fails to operate as defined by the protocol.
>
> ## 2. Vulnerability Details
>
> According to 6LoWPAN address compression standards (and aligning with the
> decompression function `lowpan_uncompress_multicast_ctx_daddr`), a
> context-based compressed multicast address should be represented by exactly
> 6 bytes:
> * **Bytes 0-1:** Derived from `s6_addr[1]` and `s6_addr[2]` (Flags, Scope,
> and Reserved bits).
> * **Bytes 2-5:** Derived from `s6_addr[12]` to `s6_addr[15]` (The 4-byte
> Group ID).
>
> However, in the compression function `lowpan_iphc_mcast_ctx_addr_compress`,
> the offsets provided to the `memcpy` calls are flawed:
>
> ```c
> static u8 lowpan_iphc_mcast_ctx_addr_compress(u8 **hc_ptr,
> const struct lowpan_iphc_ctx *ctx,
> const struct in6_addr *ipaddr)
> {
> u8 data[6];
>
> /* flags/scope, reserved (RIID) */
> memcpy(data, &ipaddr->s6_addr[1], 2);
> /* group ID */
> memcpy(&data[1], &ipaddr->s6_addr[11], 4);
> lowpan_push_hc_data(hc_ptr, data, 6);
>
> return LOWPAN_IPHC_DAM_00;
> }
> ```
>
> ### Analysis of the Error:
> 1. **Incorrect Destination Offset:** The second `memcpy` writes to
> `&data[1]` instead of `&data[2]`. This overwrites the byte previously copied
> from `s6_addr[2]` into `data[1]`.
> 2. **Incorrect Source Offset:** The source address is specified as
> `&ipaddr->s6_addr[11]` instead of `&ipaddr->s6_addr[12]`. This means it
> begins reading from the last byte of the network prefix rather than the
> start of the 4-byte Group ID.
>
> Because the compression formatting does not match the expected structure
> required by the decompression function, multicast packets utilizing
> context-based compression will be corrupted upon transmission.
>
> ## 3. Impact
> This vulnerability breaks the Context-Based Multicast Address Compression
> feature (`LOWPAN_IPHC_DAM_00` when `M` and `DAC` bits are set) in 6LoWPAN
> networks. Nodes receiving these packets will incorrectly decompress the
> destination multicast address, leading to dropped packets and communication
> failures within the multicast group.
>
> ## 4. Suggested Fix
> The fix requires adjusting both the destination and source offsets in the
> second `memcpy` call to correctly place the 4-byte Group ID into the
> compressed `data` buffer.
>
> ### Proposed Patch:
>
> ```diff
> --- a/net/6lowpan/iphc.c
> +++ b/net/6lowpan/iphc.c
> @@ -1084,9 +1084,9 @@ static u8 lowpan_iphc_mcast_ctx_addr_compress(u8
> **hc_ptr,
> u8 data[6];
>
> /* flags/scope, reserved (RIID) */
> memcpy(data, &ipaddr->s6_addr[1], 2);
> /* group ID */
> - memcpy(&data[1], &ipaddr->s6_addr[11], 4);
> + memcpy(&data[2], &ipaddr->s6_addr[12], 4);
> lowpan_push_hc_data(hc_ptr, data, 6);
>
> return LOWPAN_IPHC_DAM_00;
> }
Since you have a fix, why not just submit a proper patch in the usual
way?
https://www.kernel.org/doc/html/latest/process/maintainer-netdev.html
https://docs.kernel.org/process/submitting-patches.html
Andrew
---
pw-bot: cr
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-05 13:01 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-05 9:18 Vulnerability Report: Logical Error in 6LoWPAN Multicast Context Address Compression Quan Sun
2026-05-05 13:01 ` Andrew Lunn
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox