Linux-Bluetooth Archive on
 help / color / Atom feed
* [PATCH AUTOSEL 4.4 079/174] 6lowpan: Off by one handling ->nexthdr
       [not found] <>
@ 2020-01-16 17:41 ` Sasha Levin
  0 siblings, 0 replies; only message in thread
From: Sasha Levin @ 2020-01-16 17:41 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Dan Carpenter, Jukka Rissanen, Alexander Aring, Marcel Holtmann,
	Sasha Levin, linux-bluetooth, linux-wpan, netdev

From: Dan Carpenter <>

[ Upstream commit f57c4bbf34439531adccd7d3a4ecc14f409c1399 ]

NEXTHDR_MAX is 255.  What happens here is that we take a u8 value
"hdr->nexthdr" from the network and then look it up in
lowpan_nexthdr_nhcs[].  The problem is that if hdr->nexthdr is 0xff then
we read one element beyond the end of the array so the array needs to
be one element larger.

Fixes: 92aa7c65d295 ("6lowpan: add generic nhc layer interface")
Signed-off-by: Dan Carpenter <>
Acked-by: Jukka Rissanen <>
Acked-by: Alexander Aring <>
Signed-off-by: Marcel Holtmann <>
Signed-off-by: Sasha Levin <>
 net/6lowpan/nhc.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/6lowpan/nhc.c b/net/6lowpan/nhc.c
index 7008d53e455c..e61679bf0908 100644
--- a/net/6lowpan/nhc.c
+++ b/net/6lowpan/nhc.c
@@ -18,7 +18,7 @@
 #include "nhc.h"
 static struct rb_root rb_root = RB_ROOT;
-static struct lowpan_nhc *lowpan_nexthdr_nhcs[NEXTHDR_MAX];
+static struct lowpan_nhc *lowpan_nexthdr_nhcs[NEXTHDR_MAX + 1];
 static DEFINE_SPINLOCK(lowpan_nhc_lock);
 static int lowpan_nhc_insert(struct lowpan_nhc *nhc)

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <>
2020-01-16 17:41 ` [PATCH AUTOSEL 4.4 079/174] 6lowpan: Off by one handling ->nexthdr Sasha Levin

Linux-Bluetooth Archive on

Archives are clonable:
	git clone --mirror linux-bluetooth/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-bluetooth linux-bluetooth/ \
	public-inbox-index linux-bluetooth

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone