Skip to content

Buffer overflow in RPL source routing header processing

moderate
joakimeriksson published GHSA-6xf2-77gf-fgjx Jun 18, 2021

Package

Contiki-NG

Affected versions

< 4.5

Patched versions

4.5

Description

Impact

A buffer overflow can be triggered by an input packet when using either of Contiki-NG's two RPL implementations in source-routing mode. In particular, the segments_left value taken from the source routing header is not validated against the path_len value, which is calculated in the os/net/routing/rpl-lite/rpl-ext-header.c module on line 117 as follows:

path_len = ((ext_len - padding - RPL_RH_LEN - RPL_SRH_LEN - (16 - cmpre)) / (16 - cmpri)) + 1;

Since the cmpre value used in this calculation can be controlled by an attacker, it is possible to generate a path_len value that is smaller than the segments_left value. When calculating the index of the next address to process, as shown below from line 132, it is possible for the value to overflow and result in an index that points outside the packet buffer. A memcpy call on line 143 will then cause the a buffer overflow.

Note that the problem exists in the os/net/routing/rpl-classic/rpl-ext-header.c module as well, but with different line numbers.

Patches

The problem has been patched in Contiki-NG 4.5.

Workarounds

Users can apply the patch in Contiki-NG PR #1183.

References

The recommended procedure for processing source routing headers is documented in RFC 6554.

For more information

If you have any questions or comments about this advisory:

CVE ID

CVE-2021-21282