Impact
RIOT-OS contains a network stack with the ability to process 6LoWPAN frames. An attacker can send a crafted frame to the device resulting in a large out of bounds write beyond the packet buffer. The write will create a hard fault exception after reaching the last page of RAM. The hard fault is not handled and the system will be stuck until reset. Thus the impact is denial of service.
Patches
Workarounds
- Disabling support for fragmented IP datagrams, or
- Backport the patches listed above
For more information
If you have any questions or comments about this advisory:
Bug Details
In _6lo_frag_size the fragment size is calculated as frag_size = pkt->size - sizeof(sixlowpan_frag_n_t); (source).
sizeof(sixlowpan_frag_n_t) is 4 bytes but pkt->size can be less resulting in an integer underflow.
_rbuf_add later uses this value as size argument for memcpy (source).
Diff-fusion Reporter
SWW13 Analyst
Scepticz Analyst
Impact
RIOT-OS contains a network stack with the ability to process 6LoWPAN frames. An attacker can send a crafted frame to the device resulting in a large out of bounds write beyond the packet buffer. The write will create a hard fault exception after reaching the last page of RAM. The hard fault is not handled and the system will be stuck until reset. Thus the impact is denial of service.
Patches
Workarounds
For more information
If you have any questions or comments about this advisory:
Bug Details
In
_6lo_frag_sizethe fragment size is calculated asfrag_size = pkt->size - sizeof(sixlowpan_frag_n_t);(source).sizeof(sixlowpan_frag_n_t)is 4 bytes butpkt->sizecan be less resulting in an integer underflow._rbuf_addlater uses this value as size argument for memcpy (source).