Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gnrc_sixlowpan: Various hardening fixes [backport 2022.10] #18820

Merged
gnrc_sixlowpan_iphc: fix integer underflow in gnrc_sixlowpan_iphc_recv()
(cherry picked from commit 2709fbd)
  • Loading branch information
miri64 committed Oct 29, 2022
commit d052e2ee166e55bbdfe4c455e65dbd7e3479ebe3
21 changes: 14 additions & 7 deletions sys/net/gnrc/network_layer/sixlowpan/iphc/gnrc_sixlowpan_iphc.c
Expand Up @@ -760,8 +760,9 @@ void gnrc_sixlowpan_iphc_recv(gnrc_pktsnip_t *sixlo, void *rbuf_ptr,
iface = gnrc_netif_hdr_get_netif(netif->data);
payload_offset = _iphc_ipv6_decode(iphc_hdr, netif->data, iface,
ipv6->data);
if (payload_offset == 0) {
/* unable to parse IPHC header */
if ((payload_offset == 0) || (payload_offset > sixlo->size)) {
/* unable to parse IPHC header or malicious packet */
DEBUG("6lo iphc: malformed IPHC header\n");
_recv_error_release(sixlo, ipv6, rbuf);
return;
}
Expand All @@ -781,7 +782,9 @@ void gnrc_sixlowpan_iphc_recv(gnrc_pktsnip_t *sixlo, void *rbuf_ptr,
&prev_nh_offset,
ipv6,
&uncomp_hdr_len);
if (payload_offset == 0) {
if ((payload_offset == 0) || (payload_offset > sixlo->size)) {
/* unable to parse IPHC header or malicious packet */
DEBUG("6lo iphc: malformed IPHC NHC IPv6 header\n");
_recv_error_release(sixlo, ipv6, rbuf);
return;
}
Expand All @@ -796,7 +799,9 @@ void gnrc_sixlowpan_iphc_recv(gnrc_pktsnip_t *sixlo, void *rbuf_ptr,
prev_nh_offset,
ipv6,
&uncomp_hdr_len);
if (payload_offset == 0) {
if ((payload_offset == 0) || (payload_offset > sixlo->size)) {
/* unable to parse IPHC header or malicious packet */
DEBUG("6lo iphc: malformed IPHC NHC IPv6 header\n");
_recv_error_release(sixlo, ipv6, rbuf);
return;
}
Expand Down Expand Up @@ -898,9 +903,11 @@ void gnrc_sixlowpan_iphc_recv(gnrc_pktsnip_t *sixlo, void *rbuf_ptr,
/* re-assign IPv6 header in case realloc changed the address */
ipv6_hdr = ipv6->data;
ipv6_hdr->len = byteorder_htons(payload_len);
memcpy(((uint8_t *)ipv6->data) + uncomp_hdr_len,
((uint8_t *)sixlo->data) + payload_offset,
sixlo->size - payload_offset);
if (sixlo->size > payload_offset) {
memcpy(((uint8_t *)ipv6->data) + uncomp_hdr_len,
((uint8_t *)sixlo->data) + payload_offset,
sixlo->size - payload_offset);
}
if (rbuf != NULL) {
rbuf->super.current_size += (uncomp_hdr_len - payload_offset);
#ifdef MODULE_GNRC_SIXLOWPAN_FRAG_VRB
Expand Down