Skip to content

Out-of-bounds read in the 6LoWPAN implementation

Low
joakimeriksson published GHSA-hhwj-2p59-v8p9 Jun 18, 2021

Package

Contiki-NG

Affected versions

<= 4.6

Patched versions

None

Description

Impact

An out-of-bounds read can be triggered by 6LoWPAN packets sent to Contiki-NG devices. The IPv6 header decompression function
(uncompress_hdr_iphc) does not perform proper boundary checks when reading from the packet buffer. Hence, it is possible to construct a compressed 6LoWPAN packet that will read more bytes than what is available from the packet buffer.

In particular, on line 1284 in the module os/net/ipv6/sicslowpan.c, the following statement attempts to read len bytes from the packet buffer.

memcpy((uint8_t *)exthdr + UIP_EXT_HDR_LEN, hc06_ptr, len);

The len value is not checked against the number of bytes available in the packet buffer, thereby making memcpy read beyond the buffer boundary.

Patches

The problem has been patched in the develop branch of the contiki-ng repository, and is expected to be included in the next Contiki-NG release.

Workarounds

Users can apply the patch in Contiki-NG PR #1482.

For more information

If you have any questions or comments about this advisory:

Severity

Low

CVE ID

CVE-2021-21410

Weaknesses

No CWEs