static enum net_verdict ieee802154_recv(struct net_if *iface, struct
net_pkt *pkt)
{
// Tobias Scharnowski: Missing length validation in
ieee802154_validate_frame and subfunctions
if (!ieee802154_validate_frame(net_pkt_data(pkt),
net_pkt_get_len(pkt), &mpdu)) {
return NET_DROP;
}
...
// Tobias Scharnowski: Missing underflow check here
hdr_len = (u8_t *)mpdu.payload - net_pkt_data(pkt); -> hdr_len is
larger than the netbuf size
net_buf_pull(pkt->buffer, hdr_len);
...
}
// -> ieee802154_validate_frame does not properly check that hdr_len
will not be larger than available space in pkt
// -> modifications performed by PAN id and src/dest address decoding,
leading to integer underflow in pkt size and thus larger fake size of netbuf
Issue Description
Packet buf size is underflown for small ieee802154 packets in
zephyr/subsys/net/l2/ieee802154/ieee802154.c#ieee802154_recv.
Manual computation of size is performed in
ieee802154_recvafter theminimal size has not been properly validated in
ieee802154_validate_frame. The size check for minimal packet size ofIEEE802154_MIN_LENGTH (==3) does not include potential additional sizes
introduced by PAN id and/or (extended) src/dest addresses.
During frame validation, the PAN ID / address fields can be of extended
lengths in
zephyr/subsys/net/l2/ieee802154/ieee802154_frame.c#ieee802154_validate_frame(2+8, 8 additional bytes) for packet type
type == IEEE802154_FRAME_TYPE_DATAin
zephyr/subsys/net/l2/ieee802154/ieee802154_frame.c#validate_payload_and_mfr.A sample manifestation resides in an out-of-bounds access in
uncompress_IPHC_header function (subsys/net/ip/6lo.c)
Vulnerable Code
Source Code References
https://github.com/zephyrproject-rtos/zephyr/blob/zephyr-v2.2.0/subsys/net/l2/ieee802154/ieee802154.c#L180
- call to ieee802154_validate_frame:
https://github.com/zephyrproject-rtos/zephyr/blob/zephyr-v2.2.0/subsys/net/l2/ieee802154/ieee802154.c#L186
- manual size calculation without underflow check:
https://github.com/zephyrproject-rtos/zephyr/blob/zephyr-v2.2.0/subsys/net/l2/ieee802154/ieee802154.c#L220
https://github.com/zephyrproject-rtos/zephyr/blob/zephyr-v2.2.0/subsys/net/l2/ieee802154/ieee802154_frame.c#L372
- minimum (
<3) size check:https://github.com/zephyrproject-rtos/zephyr/blob/zephyr-v2.2.0/subsys/net/l2/ieee802154/ieee802154_frame.c#L377
- call to validate_addr which may modify p_buf:
https://github.com/zephyrproject-rtos/zephyr/blob/zephyr-v2.2.0/subsys/net/l2/ieee802154/ieee802154_frame.c#L392
- further passing of parameters to validate_payload_and_mfr:
https://github.com/zephyrproject-rtos/zephyr/blob/zephyr-v2.2.0/subsys/net/l2/ieee802154/ieee802154_frame.c#L410
https://github.com/zephyrproject-rtos/zephyr/blob/zephyr-v2.2.0/subsys/net/l2/ieee802154/ieee802154_frame.c#L332
- missing underflow check for length:
https://github.com/zephyrproject-rtos/zephyr/blob/zephyr-v2.2.0/subsys/net/l2/ieee802154/ieee802154_frame.c#L338
- setting of mpdu->payload:
https://github.com/zephyrproject-rtos/zephyr/blob/zephyr-v2.2.0/subsys/net/l2/ieee802154/ieee802154_frame.c#L353
call with large size in uncompress_IPHC_header
https://github.com/zephyrproject-rtos/zephyr/blob/zephyr-v2.2.0/subsys/net/ip/6lo.c#L1356
Exploitability and Impact
small size needs to reach the ieee802154 stack.
(>64kB of RAM), corruption is likely to be exploitable to RCE as well
Patches
This has been fixed in:
For more information
If you have any questions or comments about this advisory:
embargo: 2020-06-29
zepsec: ZEPSEC-65
thanks: Steffen Schultz