Impact
An attacker can perform a denial-of-service attack by triggering an infinite loop in the processing of IPv6 neighbor solicitation (NS) messages. This type of attack can effectively shut down the operation of the system because of the cooperative scheduling used for the main parts of Contiki-NG and its communication stack.
The problem exists in the ns_input function in the os/net/ipv6/uip-nd6.c module, where the nd6_opt_offset variable is expected to be incremented in a loop that performs options processing. The nd6_opt_offset variable is an unsigned 8-bit integer that can overflow in the addition on line 246,
nd6_opt_offset += (ND6_OPT_HDR_BUF(nd6_opt_offset)->len << 3);
This statement depends on an insufficiently validated value taken from the input packet, and can be crafted by an attacker so that the value is not incremented, which results in the infinite loop.
Patches
The problem has been patched in Contiki-NG 4.6.
Workarounds
Users can apply the patch in Contiki-NG PR #1410.
For more information
If you have any questions or comments about this advisory:
Impact
An attacker can perform a denial-of-service attack by triggering an infinite loop in the processing of IPv6 neighbor solicitation (NS) messages. This type of attack can effectively shut down the operation of the system because of the cooperative scheduling used for the main parts of Contiki-NG and its communication stack.
The problem exists in the ns_input function in the os/net/ipv6/uip-nd6.c module, where the
nd6_opt_offsetvariable is expected to be incremented in a loop that performs options processing. Thend6_opt_offsetvariable is an unsigned 8-bit integer that can overflow in the addition on line 246,This statement depends on an insufficiently validated value taken from the input packet, and can be crafted by an attacker so that the value is not incremented, which results in the infinite loop.
Patches
The problem has been patched in Contiki-NG 4.6.
Workarounds
Users can apply the patch in Contiki-NG PR #1410.
For more information
If you have any questions or comments about this advisory: