net: ipv6: Do not access link address past array length

It is possible to manually set link address length past 6 at runtime
and trying to check IPv6 ll address that way. This should fail
as we could read two bytes past the address buffer.

Coverity-CID: 516242

Signed-off-by: Jukka Rissanen <jukka.rissanen@nordicsemi.no>
This commit is contained in:
Jukka Rissanen 2025-05-26 10:39:31 +03:00 committed by Benjamin Cabé
commit d718b46ddb

View file

@ -1536,6 +1536,10 @@ static inline bool net_ipv6_addr_based_on_ll(const struct in6_addr *addr,
break;
case 8:
if (sizeof(lladdr->addr) < 8) {
return false;
}
if (!memcmp(&addr->s6_addr[9], &lladdr->addr[1],
lladdr->len - 1) &&
(addr->s6_addr[8] ^ 0x02) == lladdr->addr[0]) {