Impact
RIOT-OS contains a network stack with the ability to process 6LoWPAN frames. An attacker can send a crafted frame to the device to trigger a NULL pointer dereference leading to denial of service.
Patches
No public patches are available.
Workarounds
For more information
If you have any questions or comments about this advisory:
Bug Details
If gnrc_pktbuf_mark is used to mark an entire snippet and pkt->size is already aligned then pkt->data will be set to NULL (source):
pkt->data = (pkt->size != size) ? (((uint8_t *)pkt->data) + size) :
NULL;
The NULL pointer snippet is not removed from the packet chain.
The function is used in the call to _mark_frag_hdr in _rbuf_add (source).
If the length of pkt is exactly the length of the fragment header then pkt->data will be set to NULL. Afterwards pkt is passed to gnrc_sixlowpan_iphc_recv (source). Then pkt->data is extracted as iphc_hdr (source). Which is then passed to _iphc_ipv6_decode (source). And inside this function the NULL pointer deref happens.
Diff-fusion Reporter
SWW13 Analyst
Scepticz Analyst
Impact
RIOT-OS contains a network stack with the ability to process 6LoWPAN frames. An attacker can send a crafted frame to the device to trigger a NULL pointer dereference leading to denial of service.
Patches
No public patches are available.
Workarounds
For more information
If you have any questions or comments about this advisory:
Bug Details
If
gnrc_pktbuf_markis used to mark an entire snippet andpkt->sizeis already aligned thenpkt->datawill be set toNULL(source):The
NULLpointer snippet is not removed from the packet chain.The function is used in the call to
_mark_frag_hdrin_rbuf_add(source).If the length of
pktis exactly the length of the fragment header thenpkt->datawill be set to NULL. Afterwardspktis passed tognrc_sixlowpan_iphc_recv(source). Thenpkt->datais extracted asiphc_hdr(source). Which is then passed to_iphc_ipv6_decode(source). And inside this function the NULL pointer deref happens.