gnrc_sixlowpan_frag_rb: fix integer underflow in _6lo_frag_size()

2025-01-18 12:52:44 +01:00 · 2022-09-23 12:07:56 +02:00 · 2022-09-23 12:07:56 +02:00 · 9728f727e7
commit 9728f727e7
parent 2709fbd827
1 changed files with 11 additions and 0 deletions
--- a/sys/net/gnrc/network_layer/sixlowpan/frag/rb/gnrc_sixlowpan_frag_rb.c
+++ b/sys/net/gnrc/network_layer/sixlowpan/frag/rb/gnrc_sixlowpan_frag_rb.c
@ -236,6 +236,9 @@ static size_t _6lo_frag_size(gnrc_pktsnip_t *pkt, size_t offset, uint8_t *data)
    size_t frag_size;

    if (offset == 0) {
+        if (pkt->size < sizeof(sixlowpan_frag_t)) {
+            return 0;
+        }
        frag_size = pkt->size - sizeof(sixlowpan_frag_t);
        if (data[0] == SIXLOWPAN_UNCOMP) {
            /* subtract SIXLOWPAN_UNCOMP byte from fragment size,
@ -244,6 +247,9 @@ static size_t _6lo_frag_size(gnrc_pktsnip_t *pkt, size_t offset, uint8_t *data)
        }
    }
    else {
+        if (pkt->size < sizeof(sixlowpan_frag_n_t)) {
+            return 0;
+        }
        frag_size = pkt->size - sizeof(sixlowpan_frag_n_t);
    }
    return frag_size;
@ -306,6 +312,11 @@ static int _rbuf_add(gnrc_netif_hdr_t *netif_hdr, gnrc_pktsnip_t *pkt,
    if (IS_USED(MODULE_GNRC_SIXLOWPAN_FRAG) && sixlowpan_frag_is(pkt->data)) {
        data = _6lo_frag_payload(pkt);
        frag_size = _6lo_frag_size(pkt, offset, data);
+        if (frag_size == 0) {
+            DEBUG("6lo rbuf: integer underflow detected.\n");
+            gnrc_pktbuf_release(pkt);
+            return RBUF_ADD_ERROR;
+        }
        datagram_size = sixlowpan_frag_datagram_size(pkt->data);
        datagram_tag = sixlowpan_frag_datagram_tag(pkt->data);
    }