Hi, the maintainers of RIOT were made aware of a potential vulnerability in the ipv6_addr module a few days back. An off-by-2 and off-by-4 error caused a buffer overflow in ipv6_addr_from_str() allowing a potential attacker to overwrite the return address of the surrounding frame. This occured due to an error in the transcript of the original version of this function by Paul Vixie. With [1] and [2] this was fixed for current master and the upcoming 2017.04 release. If you are using older RIOT releases and can’t change right now, we highly recommend you to backport this fix.
Regards,
Martine
[1] https://github.com/RIOT-OS/RIOT/pull/6961 [2] https://github.com/RIOT-OS/RIOT/pull/6962