Impact
After establishing a TCP socket using the tcp-socket library, it is possible for the remote end to send a packet with a data offset that is unvalidated. When calculating the packet length, this unvalidated data offset can cause the packet length to overflow, and cause out-of-bounds reading from memory.
The data offset is stored directly into the c variable without validation against the actual packet length.
/* Calculate the length of the data, if the application has sent any data to us. */
c = (UIP_TCP_BUF->tcpoffset >> 4) << 2;
The packet length is then updated at os/net/ipv6/uip6.c line 1846, using the tainted c variable:
uip_len = uip_len - c - UIP_IPH_LEN;
Hence, by setting the TCP data offset field in an input packet, an attacker can affect the uip_len variable without validation against available buffer space in the uip_buf array, where the packet is stored.
Patches
The problem has been patched in Contiki-NG 4.6.
Workarounds
Users can apply the patch in Contiki-NG PR #1183.
For more information
If you have any questions or comments about this advisory:
Impact
After establishing a TCP socket using the tcp-socket library, it is possible for the remote end to send a packet with a data offset that is unvalidated. When calculating the packet length, this unvalidated data offset can cause the packet length to overflow, and cause out-of-bounds reading from memory.
The data offset is stored directly into the
cvariable without validation against the actual packet length.The packet length is then updated at os/net/ipv6/uip6.c line 1846, using the tainted
cvariable:Hence, by setting the TCP data offset field in an input packet, an attacker can affect the
uip_lenvariable without validation against available buffer space in theuip_bufarray, where the packet is stored.Patches
The problem has been patched in Contiki-NG 4.6.
Workarounds
Users can apply the patch in Contiki-NG PR #1183.
For more information
If you have any questions or comments about this advisory: