gnrc_sixlowpan_iphc: fix integer underflow in gnrc_sixlowpan_iphc_recv()

2025-01-18 12:52:44 +01:00 · 2022-09-23 11:56:43 +02:00 · 2022-09-23 11:56:43 +02:00 · 2709fbd827
commit 2709fbd827
parent 73615161c0
1 changed files with 14 additions and 7 deletions
--- a/sys/net/gnrc/network_layer/sixlowpan/iphc/gnrc_sixlowpan_iphc.c
+++ b/sys/net/gnrc/network_layer/sixlowpan/iphc/gnrc_sixlowpan_iphc.c
@ -760,8 +760,9 @@ void gnrc_sixlowpan_iphc_recv(gnrc_pktsnip_t *sixlo, void *rbuf_ptr,
    iface = gnrc_netif_hdr_get_netif(netif->data);
    payload_offset = _iphc_ipv6_decode(iphc_hdr, netif->data, iface,
                                       ipv6->data);
-    if (payload_offset == 0) {
-        /* unable to parse IPHC header */
+    if ((payload_offset == 0) || (payload_offset > sixlo->size)) {
+        /* unable to parse IPHC header or malicious packet */
+        DEBUG("6lo iphc: malformed IPHC header\n");
        _recv_error_release(sixlo, ipv6, rbuf);
        return;
    }
@ -781,7 +782,9 @@ void gnrc_sixlowpan_iphc_recv(gnrc_pktsnip_t *sixlo, void *rbuf_ptr,
                                                           &prev_nh_offset,
                                                           ipv6,
                                                           &uncomp_hdr_len);
-                    if (payload_offset == 0) {
+                    if ((payload_offset == 0) || (payload_offset > sixlo->size)) {
+                        /* unable to parse IPHC header or malicious packet */
+                        DEBUG("6lo iphc: malformed IPHC NHC IPv6 header\n");
                        _recv_error_release(sixlo, ipv6, rbuf);
                        return;
                    }
@ -796,7 +799,9 @@ void gnrc_sixlowpan_iphc_recv(gnrc_pktsnip_t *sixlo, void *rbuf_ptr,
                                                          prev_nh_offset,
                                                          ipv6,
                                                          &uncomp_hdr_len);
-                    if (payload_offset == 0) {
+                    if ((payload_offset == 0) || (payload_offset > sixlo->size)) {
+                        /* unable to parse IPHC header or malicious packet */
+                        DEBUG("6lo iphc: malformed IPHC NHC IPv6 header\n");
                        _recv_error_release(sixlo, ipv6, rbuf);
                        return;
                    }
@ -898,9 +903,11 @@ void gnrc_sixlowpan_iphc_recv(gnrc_pktsnip_t *sixlo, void *rbuf_ptr,
    /* re-assign IPv6 header in case realloc changed the address */
    ipv6_hdr = ipv6->data;
    ipv6_hdr->len = byteorder_htons(payload_len);
-    memcpy(((uint8_t *)ipv6->data) + uncomp_hdr_len,
-           ((uint8_t *)sixlo->data) + payload_offset,
-           sixlo->size - payload_offset);
+    if (sixlo->size > payload_offset) {
+        memcpy(((uint8_t *)ipv6->data) + uncomp_hdr_len,
+               ((uint8_t *)sixlo->data) + payload_offset,
+               sixlo->size - payload_offset);
+    }
    if (rbuf != NULL) {
        rbuf->super.current_size += (uncomp_hdr_len - payload_offset);
 #ifdef MODULE_GNRC_SIXLOWPAN_FRAG_VRB