Skip to content

Buffer overflow due to unvalidated TCP data offset

Moderate
joakimeriksson published GHSA-mc42-fqfr-h9fp Jun 18, 2021

Package

Contiki-NG

Affected versions

< 4.6

Patched versions

4.6

Description

Impact

After establishing a TCP socket using the tcp-socket library, it is possible for the remote end to send a packet with a data offset that is unvalidated. When calculating the packet length, this unvalidated data offset can cause the packet length to overflow, and cause out-of-bounds reading from memory.

The data offset is stored directly into the c variable without validation against the actual packet length.

/* Calculate the length of the data, if the application has sent any data to us. */
c = (UIP_TCP_BUF->tcpoffset >> 4) << 2;

The packet length is then updated at os/net/ipv6/uip6.c line 1846, using the tainted c variable:

uip_len = uip_len - c - UIP_IPH_LEN;

Hence, by setting the TCP data offset field in an input packet, an attacker can affect the uip_len variable without validation against available buffer space in the uip_buf array, where the packet is stored.

Patches

The problem has been patched in Contiki-NG 4.6.

Workarounds

Users can apply the patch in Contiki-NG PR #1183.

For more information

If you have any questions or comments about this advisory:

Severity

Moderate

CVE ID

CVE-2021-21281

Weaknesses

No CWEs