Skip to content

Null Pointer dereference during IPHC encoding

High
chrysn published GHSA-8x69-5fhj-72wh Apr 24, 2023

Package

RIOT-OS

Affected versions

< 2022.10

Patched versions

2022.10

Description

Impact

RIOT-OS contains a network stack with the ability to process 6LoWPAN frames. An attacker can send a crafted frame to the device resulting in a NULL pointer dereference while encoding a 6LoWPAN IPHC header. The NULL pointer dereference causes a hard fault exception leading to denial of service.

Patches

Workarounds

  • Backport the patches listed above

For more information

If you have any questions or comments about this advisory:

Bug Details

While encoding an IPv6 header the data is extracted from the next snippet in the packet (source):

    gnrc_pktsnip_t *hdr = pkt->next->next;
    ipv6_ext_t *ext = hdr->data;

Then the header is removed from the snippet (source):

    if (!_remove_header(pkt, hdr, ext_len)) {

If all data is consumed by the header the snippet will be removed entirely (source):

    if (hdr->size > exp_hdr_size) {
        hdr = gnrc_pktbuf_mark(hdr, exp_hdr_size,
                               GNRC_NETTYPE_UNDEF);

        if (hdr == NULL) {
            DEBUG("6lo iphc: unable to remove compressed header\n");
            return false;
        }
    }
    gnrc_pktbuf_remove_snip(pkt, hdr);

The IPv6 header that consumed the snippet can still contain a next header value and thus the firmware tries to encode another header.
During encoding the data is again read from the next snippet.
If no next snippet exists, e.g. because it was removed, the NULL pointer will be dereferenced.

Severity

High
7.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2023-24822

Weaknesses

Credits