Impact
An out-of-bounds write exists in the driver for IEEE 802.15.4 radios on nRF platforms in the Contiki-NG operating system. The problem is triggered when parsing radio frames in the read_frame function in the arch/cpu/nrf/net/nrf-ieee-driver-arch.c module.
More specifically, the read_frame function performs an incomplete validation of the payload length of the packet, which is a value that can be set by an external party that sends radio packets to a Contiki-NG system. Although the value is validated to be in the range of the MTU length, it is not validated to fit into the given buffer into which the packet will be copied.
Patches
The problem has been patched in the "develop" branch of Contiki-NG.
Workarounds
One can apply the changes in Contiki-NG pull request #2741 to patch the system.
For more information
If you have any questions or comments about this advisory:
Open an issue in https://github.com/contiki-ng/contiki-ng
Email us at security@contiki-ng.org
Impact
An out-of-bounds write exists in the driver for IEEE 802.15.4 radios on nRF platforms in the Contiki-NG operating system. The problem is triggered when parsing radio frames in the read_frame function in the arch/cpu/nrf/net/nrf-ieee-driver-arch.c module.
More specifically, the read_frame function performs an incomplete validation of the payload length of the packet, which is a value that can be set by an external party that sends radio packets to a Contiki-NG system. Although the value is validated to be in the range of the MTU length, it is not validated to fit into the given buffer into which the packet will be copied.
Patches
The problem has been patched in the "develop" branch of Contiki-NG.
Workarounds
One can apply the changes in Contiki-NG pull request #2741 to patch the system.
For more information
If you have any questions or comments about this advisory:
Open an issue in https://github.com/contiki-ng/contiki-ng
Email us at security@contiki-ng.org