Buffer overflow in RPL source routing header processing
A buffer overflow can be triggered by an input packet when using either of Contiki-NG's two RPL implementations in source-routing mode. In particular, the
segments_left value taken from the source routing header is not validated against the
path_len value, which is calculated in the os/net/routing/rpl-lite/rpl-ext-header.c module on line 117 as follows:
path_len = ((ext_len - padding - RPL_RH_LEN - RPL_SRH_LEN - (16 - cmpre)) / (16 - cmpri)) + 1;
cmpre value used in this calculation can be controlled by an attacker, it is possible to generate a
path_len value that is smaller than the
segments_left value. When calculating the index of the next address to process, as shown below from line 132, it is possible for the value to overflow and result in an index that points outside the packet buffer. A memcpy call on line 143 will then cause the a buffer overflow.
Note that the problem exists in the os/net/routing/rpl-classic/rpl-ext-header.c module as well, but with different line numbers.
The problem has been patched in Contiki-NG 4.5.
Users can apply the patch in Contiki-NG PR #1183.
The recommended procedure for processing source routing headers is documented in RFC 6554.
For more information
If you have any questions or comments about this advisory: