From d039d30abe70dc924f9dfc83946572e1ef56f18d Mon Sep 17 00:00:00 2001
From: Tony Wu <tonywu@realtek.com>
Date: Thu, 3 Nov 2016 14:38:23 +0800
Subject: [PATCH 1/2] lwip - Fix lwip_mac_address buffer overflow

Sounds serious, but should be benign.

Signed-off-by: Tony Wu <tonywu@realtek.com>
---
 features/FEATURE_LWIP/lwip-interface/lwip_stack.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/features/FEATURE_LWIP/lwip-interface/lwip_stack.c b/features/FEATURE_LWIP/lwip-interface/lwip_stack.c
index f8099386f4..892b36767d 100644
--- a/features/FEATURE_LWIP/lwip-interface/lwip_stack.c
+++ b/features/FEATURE_LWIP/lwip-interface/lwip_stack.c
@@ -104,7 +104,7 @@ static void mbed_lwip_socket_callback(struct netconn *nc, enum netconn_evt eh, u
 /* TCP/IP and Network Interface Initialisation */
 static struct netif lwip_netif;
 static bool lwip_dhcp = false;
-static char lwip_mac_address[NSAPI_MAC_SIZE] = "\0";
+static char lwip_mac_address[NSAPI_MAC_SIZE];
 
 #if !LWIP_IPV4 || !LWIP_IPV6
 static bool all_zeros(const uint8_t *p, int len)
@@ -309,13 +309,13 @@ static void mbed_lwip_netif_status_irq(struct netif *lwip_netif)
 static void mbed_lwip_set_mac_address(void)
 {
 #if (MBED_MAC_ADDRESS_SUM != MBED_MAC_ADDR_INTERFACE)
-    snprintf(lwip_mac_address, 19, "%02x:%02x:%02x:%02x:%02x:%02x",
+    snprintf(lwip_mac_address, NSAPI_MAC_SIZE, "%02x:%02x:%02x:%02x:%02x:%02x",
             MBED_MAC_ADDR_0, MBED_MAC_ADDR_1, MBED_MAC_ADDR_2,
             MBED_MAC_ADDR_3, MBED_MAC_ADDR_4, MBED_MAC_ADDR_5);
 #else
     char mac[6];
     mbed_mac_address(mac);
-    snprintf(lwip_mac_address, 19, "%02x:%02x:%02x:%02x:%02x:%02x",
+    snprintf(lwip_mac_address, NSAPI_MAC_SIZE, "%02x:%02x:%02x:%02x:%02x:%02x",
             mac[0], mac[1], mac[2], mac[3], mac[4], mac[5]);
 #endif
 }

From 70ad0f5226b986df56f7e995b55db09c6a6f5301 Mon Sep 17 00:00:00 2001
From: Tony Wu <tonywu@realtek.com>
Date: Thu, 3 Nov 2016 18:16:17 +0800
Subject: [PATCH 2/2] netsocket - Fix set_ip_bytes out-of-bound access

set_ip_bytes() does a 16-byte memcpy from the input buffer to
the local nsapi_addr_t despite the address version.

If the address version is ipv4, the input buffer may only be
4-byte in size. This causes a out-of-bound access on the input buffer.

Signed-off-by: Tony Wu <tonywu@realtek.com>
---
 features/netsocket/SocketAddress.cpp | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/features/netsocket/SocketAddress.cpp b/features/netsocket/SocketAddress.cpp
index c7a8c91e10..8fc2595294 100644
--- a/features/netsocket/SocketAddress.cpp
+++ b/features/netsocket/SocketAddress.cpp
@@ -203,8 +203,14 @@ bool SocketAddress::set_ip_address(const char *addr)
 void SocketAddress::set_ip_bytes(const void *bytes, nsapi_version_t version)
 {
     nsapi_addr_t addr;
+
+    addr = nsapi_addr_t();
     addr.version = version;
-    memcpy(addr.bytes, bytes, NSAPI_IP_BYTES);
+    if (version == NSAPI_IPv6) {
+        memcpy(addr.bytes, bytes, NSAPI_IPv6_BYTES);
+    } else if (version == NSAPI_IPv4) {
+        memcpy(addr.bytes, bytes, NSAPI_IPv4_BYTES);
+    }
     set_addr(addr);
 }