Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gnrc_sixlowpan: Various hardening fixes #18817

Merged
merged 10 commits into from Oct 29, 2022
gnrc_sixlowpan_iphc: fix integer underflow in gnrc_sixlowpan_iphc_recv()
  • Loading branch information
miri64 committed Oct 28, 2022
commit 2709fbd827b688fe62df2c77c316914f4a3a6d4a
21 changes: 14 additions & 7 deletions sys/net/gnrc/network_layer/sixlowpan/iphc/gnrc_sixlowpan_iphc.c
Expand Up @@ -760,8 +760,9 @@ void gnrc_sixlowpan_iphc_recv(gnrc_pktsnip_t *sixlo, void *rbuf_ptr,
iface = gnrc_netif_hdr_get_netif(netif->data);
payload_offset = _iphc_ipv6_decode(iphc_hdr, netif->data, iface,
ipv6->data);
if (payload_offset == 0) {
/* unable to parse IPHC header */
if ((payload_offset == 0) || (payload_offset > sixlo->size)) {
miri64 marked this conversation as resolved.
Show resolved Hide resolved
/* unable to parse IPHC header or malicious packet */
DEBUG("6lo iphc: malformed IPHC header\n");
_recv_error_release(sixlo, ipv6, rbuf);
return;
}
Expand All @@ -781,7 +782,9 @@ void gnrc_sixlowpan_iphc_recv(gnrc_pktsnip_t *sixlo, void *rbuf_ptr,
&prev_nh_offset,
ipv6,
&uncomp_hdr_len);
if (payload_offset == 0) {
if ((payload_offset == 0) || (payload_offset > sixlo->size)) {
/* unable to parse IPHC header or malicious packet */
DEBUG("6lo iphc: malformed IPHC NHC IPv6 header\n");
_recv_error_release(sixlo, ipv6, rbuf);
return;
}
Expand All @@ -796,7 +799,9 @@ void gnrc_sixlowpan_iphc_recv(gnrc_pktsnip_t *sixlo, void *rbuf_ptr,
prev_nh_offset,
ipv6,
&uncomp_hdr_len);
if (payload_offset == 0) {
if ((payload_offset == 0) || (payload_offset > sixlo->size)) {
/* unable to parse IPHC header or malicious packet */
DEBUG("6lo iphc: malformed IPHC NHC IPv6 header\n");
_recv_error_release(sixlo, ipv6, rbuf);
return;
}
Expand Down Expand Up @@ -898,9 +903,11 @@ void gnrc_sixlowpan_iphc_recv(gnrc_pktsnip_t *sixlo, void *rbuf_ptr,
/* re-assign IPv6 header in case realloc changed the address */
ipv6_hdr = ipv6->data;
ipv6_hdr->len = byteorder_htons(payload_len);
memcpy(((uint8_t *)ipv6->data) + uncomp_hdr_len,
((uint8_t *)sixlo->data) + payload_offset,
sixlo->size - payload_offset);
if (sixlo->size > payload_offset) {
memcpy(((uint8_t *)ipv6->data) + uncomp_hdr_len,
((uint8_t *)sixlo->data) + payload_offset,
sixlo->size - payload_offset);
}
if (rbuf != NULL) {
rbuf->super.current_size += (uncomp_hdr_len - payload_offset);
#ifdef MODULE_GNRC_SIXLOWPAN_FRAG_VRB
Expand Down