net: ip: Fix for improper offset return by net_pkt_find_offset()

The original packet's link-layer destination and source address can be stored in separately allocated memory. This allocated memory can be placed just after pkt data buffers. In case when `net_pkt_find_offset()` uses condition: `if (buf->data <= ptr && ptr <= (buf->data + buf->len)) {` the offset is set outside the packet's buffer and the function returns incorrect offset instead of error code. Finally the offset is used to set ll address in cloned packet, and this can have unexpected behavior (e.g. crash when cursor will be set to empty memory). Signed-off-by: Marcin Gasiorek <[email protected]> (cherry picked from commit fb99f65)
zephyrproject-rtos · Mar 6, 2024 · b517a80 · b517a80
1 parent 0de7085
commit b517a80
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/subsys/net/ip/net_pkt.c b/subsys/net/ip/net_pkt.c
@@ -1756,7 +1756,7 @@ static int32_t net_pkt_find_offset(struct net_pkt *pkt, uint8_t *ptr)
 	buf = pkt->buffer;
 
 	while (buf) {
-		if (buf->data <= ptr && ptr <= (buf->data + buf->len)) {
+		if (buf->data <= ptr && ptr < (buf->data + buf->len)) {
 			ret = offset + (ptr - buf->data);
 			break;
 		}