gnrc_rpl: Lack of bounds check for packed structs #16018
Labels
Area: network
Area: Networking
Type: bug
The issue reports a bug / The PR fixes a bug (including spelling errors)
Description
RIOT's RPL implementation as provided by the
gnrc_rplmodule lacks proper bounds checks. RPL messages are encapsulated in ICMPv6 datagrams. The message body of the ICMPv6 datagram is extracted as follows:RIOT/sys/net/gnrc/routing/rpl/gnrc_rpl.c
Lines 175 to 196 in 7ed50c3
The code above casts
icmpv6_hdr + 1(i.e. the ICMPv6 message body) to the appropriate RPL packed struct (e.g.gnrc_rpl_dio_t). However, it does not check whether the message is large enough to even contain agnrc_rpl_dio_t(or any other packed RPL struct). As such, the handlers ingnrc_rpl_control_messages.cfor specific RPL messages must check thelenparameter before accessing any fields of these structs. The handler forgnrc_rpl_dao_tmessages, for example, directly pass the required information to thegnrc_rpl_validation_DAOfunction, however, this function itself access fields of the struct before performing a length check to ensure that these fields are actually present. For example:RIOT/sys/net/gnrc/routing/rpl/gnrc_rpl_control_messages.c
Lines 116 to 118 in 1b35d06
If the ICMP packet is too short this will result in an out-of-bounds read.
Steps to reproduce the issue
Use
examples/gnrc_networking, activategnrc_pktbuf_mallocand setCONFIG_GNRC_RPL_DEFAULT_NETIFto your netif (check withifconfigin the shell provided bygnrc_networking) mine is6:Compile and run the application using:
Afterwards run
socatas:Expected results
The application shouldn't crash.
Actual results
The text was updated successfully, but these errors were encountered: