Impact
A buffer overflow can be triggered by an input packet when using either of Contiki-NG's two RPL implementations in source-routing mode. In particular, the segments_left value taken from the source routing header is not validated against the path_len value, which is calculated in the os/net/routing/rpl-lite/rpl-ext-header.c module on line 117 as follows:
path_len = ((ext_len - padding - RPL_RH_LEN - RPL_SRH_LEN - (16 - cmpre)) / (16 - cmpri)) + 1;
Since the cmpre value used in this calculation can be controlled by an attacker, it is possible to generate a path_len value that is smaller than the segments_left value. When calculating the index of the next address to process, as shown below from line 132, it is possible for the value to overflow and result in an index that points outside the packet buffer. A memcpy call on line 143 will then cause the a buffer overflow.
Note that the problem exists in the os/net/routing/rpl-classic/rpl-ext-header.c module as well, but with different line numbers.
Patches
The problem has been patched in Contiki-NG 4.5.
Workarounds
Users can apply the patch in Contiki-NG PR #1183.
References
The recommended procedure for processing source routing headers is documented in RFC 6554.
For more information
If you have any questions or comments about this advisory:
Impact
A buffer overflow can be triggered by an input packet when using either of Contiki-NG's two RPL implementations in source-routing mode. In particular, the
segments_left valuetaken from the source routing header is not validated against thepath_lenvalue, which is calculated in the os/net/routing/rpl-lite/rpl-ext-header.c module on line 117 as follows:Since the
cmprevalue used in this calculation can be controlled by an attacker, it is possible to generate apath_lenvalue that is smaller than thesegments_leftvalue. When calculating the index of the next address to process, as shown below from line 132, it is possible for the value to overflow and result in an index that points outside the packet buffer. A memcpy call on line 143 will then cause the a buffer overflow.Note that the problem exists in the os/net/routing/rpl-classic/rpl-ext-header.c module as well, but with different line numbers.
Patches
The problem has been patched in Contiki-NG 4.5.
Workarounds
Users can apply the patch in Contiki-NG PR #1183.
References
The recommended procedure for processing source routing headers is documented in RFC 6554.
For more information
If you have any questions or comments about this advisory: