From 1aeb90ee5555ae78b567a6365ae4ab71bfd1404b Mon Sep 17 00:00:00 2001
From: Martine Lenders <m.lenders@fu-berlin.de>
Date: Tue, 30 May 2023 14:39:00 +0200
Subject: [PATCH] gnrc_sixlowpan_frag_rb: fix OOB write in _rbuf_add

---
 .../sixlowpan/frag/rb/gnrc_sixlowpan_frag_rb.c      | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/sys/net/gnrc/network_layer/sixlowpan/frag/rb/gnrc_sixlowpan_frag_rb.c b/sys/net/gnrc/network_layer/sixlowpan/frag/rb/gnrc_sixlowpan_frag_rb.c
index d406f60576..1112969719 100644
--- a/sys/net/gnrc/network_layer/sixlowpan/frag/rb/gnrc_sixlowpan_frag_rb.c
+++ b/sys/net/gnrc/network_layer/sixlowpan/frag/rb/gnrc_sixlowpan_frag_rb.c
@@ -461,6 +461,19 @@ static int _rbuf_add(gnrc_netif_hdr_t *netif_hdr, gnrc_pktsnip_t *pkt,
                 else if (IS_USED(MODULE_GNRC_SIXLOWPAN_FRAG_SFR) &&
                          sixlowpan_sfr_rfrag_is(pkt->data)) {
                     entry.super->datagram_size--;
+                    /* Check, if fragment is still small enough to fit datagram size.
+                     * `offset` is 0, as this is the first fragment so it does not have to be added
+                     * here. */
+                    if (frag_size > entry.super->datagram_size) {
+                        DEBUG_PUTS(
+                           "6lo rfrag: fragment too big for resulting datagram, "
+                           "discarding datagram\n"
+                        );
+                        gnrc_pktbuf_release(entry.rbuf->pkt);
+                        gnrc_pktbuf_release(pkt);
+                        gnrc_sixlowpan_frag_rb_remove(entry.rbuf);
+                        return RBUF_ADD_ERROR;
+                    }
                 }
             }
         }