Skip to content

Infinite loop in IPv6 neighbor solicitation processing

Moderate
joakimeriksson published GHSA-rr5j-j8m8-fc4f Jun 18, 2021

Package

Contiki-NG

Affected versions

< 4.6

Patched versions

4.6

Description

Impact

An attacker can perform a denial-of-service attack by triggering an infinite loop in the processing of IPv6 neighbor solicitation (NS) messages. This type of attack can effectively shut down the operation of the system because of the cooperative scheduling used for the main parts of Contiki-NG and its communication stack.

The problem exists in the ns_input function in the os/net/ipv6/uip-nd6.c module, where the nd6_opt_offset variable is expected to be incremented in a loop that performs options processing. The nd6_opt_offset variable is an unsigned 8-bit integer that can overflow in the addition on line 246,

nd6_opt_offset += (ND6_OPT_HDR_BUF(nd6_opt_offset)->len << 3);

This statement depends on an insufficiently validated value taken from the input packet, and can be crafted by an attacker so that the value is not incremented, which results in the infinite loop.

Patches

The problem has been patched in Contiki-NG 4.6.

Workarounds

Users can apply the patch in Contiki-NG PR #1410.

For more information

If you have any questions or comments about this advisory:

Severity

Moderate

CVE ID

CVE-2021-21279

Weaknesses

No CWEs