RIOT-OS contains a network stack with the ability to process 6LoWPAN frames. An attacker can send a crafted frame to the device resulting in a large out of bounds write beyond the packet buffer. The write will create a hard fault exception after reaching the last page of RAM. The hard fault is not handled and the system will be stuck until reset. Thus the impact is denial of service.
While copying the payload from the 6LoWPAN snippet to the IPv6 snippet the payload size is calculated as the size of the 6LoWPAN packet minus the offset after decompressing the header.
A crafted packet can lead to the offset being larger then the size of the packet.
In this case payload_offset is larger than sixlo->size leading to an integer underflow (source):
memcpy(((uint8_t *)ipv6->data) + uncomp_hdr_len,
((uint8_t *)sixlo->data) + payload_offset,
sixlo->size - payload_offset);
Diff-fusion Reporter
SWW13 Analyst
Scepticz Analyst
Impact
RIOT-OS contains a network stack with the ability to process 6LoWPAN frames. An attacker can send a crafted frame to the device resulting in a large out of bounds write beyond the packet buffer. The write will create a hard fault exception after reaching the last page of RAM. The hard fault is not handled and the system will be stuck until reset. Thus the impact is denial of service.
Patches
Workarounds
For more information
If you have any questions or comments about this advisory:
Bug Details
While copying the payload from the 6LoWPAN snippet to the IPv6 snippet the payload size is calculated as the size of the 6LoWPAN packet minus the offset after decompressing the header.
A crafted packet can lead to the offset being larger then the size of the packet.
In this case
payload_offsetis larger thansixlo->sizeleading to an integer underflow (source):