Re: [PR] net/sixlowpan: Check if g_frame_hdrlen + IPv6_HDRLEN <= iob->io_len [nuttx]

Fri, 08 May 2026 18:42:25 -0700 


xiaoxiang781216 commented on code in PR #18857:
URL: https://github.com/apache/nuttx/pull/18857#discussion_r3212165712


##########
net/sixlowpan/sixlowpan_input.c:
##########
@@ -226,14 +247,23 @@ static uint16_t sixlowpan_uncompress_ipv6proto(FAR 
uint8_t *fptr,
       return 0;
     }
 
+  /* Check if the TCP header exceeds the frame size */
+
+  if (fptr + g_frame_hdrlen + protosize > endofframe)
+    {
+      nerr("ERROR: TCP header size from tcpoffset exceeds frame bounds\n");
+      return -EINVAL;
+    }
+
   /* Copy the protocol header. */
 
   memcpy((FAR uint8_t *)ipv6 + g_uncomp_hdrlen, fptr + g_frame_hdrlen,
          protosize);
 
   g_frame_hdrlen   += protosize;
   g_uncomp_hdrlen  += protosize;
-  return protosize;
+
+  return (int)protosize;

Review Comment:
   why need the cast



##########
net/sixlowpan/sixlowpan_input.c:
##########
@@ -174,20 +185,22 @@ static void sixlowpan_uncompress_ipv6hdr(FAR uint8_t 
*fptr,
  *   Copy the protocol header following the IPv4 header
  *
  * Input Parameters:
+ *   iob   - Pointer to the iob struct
  *   fptr  - Pointer to the beginning of the frame under construction
  *   bptr  - Output goes here.  Normally this is a known offset into d_buf,
  *           may be redirected to g_bitbucket on the case of FRAGN frames.
- *   proto - True: Copy the protocol header following the IPv6 header too.
  *
  * Returned Value:
- *   The size of the protocol header that was copied.
+ *   The size of the protocol header that was copied or a negative error.
  *
  ****************************************************************************/
 
-static uint16_t sixlowpan_uncompress_ipv6proto(FAR uint8_t *fptr,
-                                               FAR uint8_t *bptr)
+static int sixlowpan_uncompress_ipv6proto(FAR struct iob_s *iob,

Review Comment:
   let's return result through `FAR uint16_t *`?



##########
net/sixlowpan/sixlowpan_input.c:
##########
@@ -494,7 +530,15 @@ static int sixlowpan_frame_process(FAR struct 
radio_driver_s *radio,
 
       if (!isfrag || isfrag1)
         {
-          protosize = sixlowpan_uncompress_ipv6proto(fptr, bptr);
+          ret = sixlowpan_uncompress_ipv6proto(iob, fptr, bptr);
+          if (ret < 0)
+            {
+              nerr("ERROR: Failed to uncompress IPv6 proto header: %d\n",
+                   ret);
+              goto errout_with_reass;
+            }
+
+          protosize = (uint8_t) ret;

Review Comment:
   remove space before ret



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to