Impact
An out-of-bounds read can be triggered by 6LoWPAN packets sent to Contiki-NG devices. The IPv6 header decompression function
(uncompress_hdr_iphc) does not perform proper boundary checks when reading from the packet buffer. Hence, it is possible to construct a compressed 6LoWPAN packet that will read more bytes than what is available from the packet buffer.
In particular, on line 1284 in the module os/net/ipv6/sicslowpan.c, the following statement attempts to read len bytes from the packet buffer.
memcpy((uint8_t *)exthdr + UIP_EXT_HDR_LEN, hc06_ptr, len);
The len value is not checked against the number of bytes available in the packet buffer, thereby making memcpy read beyond the buffer boundary.
Patches
The problem has been patched in the develop branch of the contiki-ng repository, and is expected to be included in the next Contiki-NG release.
Workarounds
Users can apply the patch in Contiki-NG PR #1482.
For more information
If you have any questions or comments about this advisory:
Impact
An out-of-bounds read can be triggered by 6LoWPAN packets sent to Contiki-NG devices. The IPv6 header decompression function
(
uncompress_hdr_iphc) does not perform proper boundary checks when reading from the packet buffer. Hence, it is possible to construct a compressed 6LoWPAN packet that will read more bytes than what is available from the packet buffer.In particular, on line 1284 in the module os/net/ipv6/sicslowpan.c, the following statement attempts to read
lenbytes from the packet buffer.The
lenvalue is not checked against the number of bytes available in the packet buffer, thereby makingmemcpyread beyond the buffer boundary.Patches
The problem has been patched in the develop branch of the contiki-ng repository, and is expected to be included in the next Contiki-NG release.
Workarounds
Users can apply the patch in Contiki-NG PR #1482.
For more information
If you have any questions or comments about this advisory: