gnrc_netif: Fix out-of-bounds buffer access in ieee802154 netif

2025-01-18 12:52:44 +01:00 · 2018-01-31 20:50:07 +01:00 · 2018-01-31 20:50:07 +01:00 · cfe0143eec
commit cfe0143eec
parent c68a9f7895
2 changed files with 6 additions and 1 deletions
--- a/sys/include/net/ieee802154.h
+++ b/sys/include/net/ieee802154.h
@ -46,6 +46,8 @@ extern "C" {
 * @{
 */
 #define IEEE802154_MAX_HDR_LEN              (23U)
+#define IEEE802154_MIN_FRAME_LEN            (IEEE802154_FCF_LEN + sizeof(uint8_t))
+
 #define IEEE802154_FCF_LEN                  (2U)
 #define IEEE802154_FCS_LEN                  (2U)

--- a/sys/net/gnrc/netif/gnrc_netif_ieee802154.c
+++ b/sys/net/gnrc/netif/gnrc_netif_ieee802154.c
@ -82,7 +82,7 @@ static gnrc_pktsnip_t *_recv(gnrc_netif_t *netif)
    gnrc_pktsnip_t *pkt = NULL;
    int bytes_expected = dev->driver->recv(dev, NULL, 0, NULL);

-    if (bytes_expected > 0) {
+    if (bytes_expected >= (int)IEEE802154_MIN_FRAME_LEN) {
        int nread;

        pkt = gnrc_pktbuf_add(NULL, NULL, bytes_expected, GNRC_NETTYPE_UNDEF);
@ -155,6 +155,9 @@ static gnrc_pktsnip_t *_recv(gnrc_netif_t *netif)

        DEBUG("_recv_ieee802154: reallocating.\n");
        gnrc_pktbuf_realloc_data(pkt, nread);
+    } else if (bytes_expected > 0) {
+        DEBUG("_recv_ieee802154: received frame is too short\n");
+        dev->driver->recv(dev, NULL, bytes_expected, NULL);
    }

    return pkt;