Skip to content

Missing dhcpv6_opt_t minimum header length check

High
miri64 published GHSA-xgv3-pcq6-qmrg Nov 22, 2024

Package

RIOT-OS (RIOT-OS)

Affected versions

<=2024.04

Patched versions

None

Description

Summary

In the function _parse_advertise in /sys/net/application_layer/dhcpv6/client.c, the absence of minimum header length check for dhcpv6_opt_t could result in an out-of-bound read during the preparse and parse phase.

Details

In the function _parse_advertise, located in /sys/net/application_layer/dhcpv6/client.c, there is no minimum header length check for dhcpv6_opt_t after processing dhcpv6_msg_t. This omission could lead to an out-of-bound read, causing system inconsistency.

Additionally, the same lack of a header length check is present in the function _preparse_advertise, which is called by _parse_advertise before handling the request.

static int _preparse_advertise(uint8_t *adv, size_t len, uint8_t **buf)
{
    dhcpv6_opt_duid_t *cid = NULL, *sid = NULL;
    dhcpv6_opt_pref_t *pref = NULL;
    dhcpv6_opt_status_t *status = NULL;
    size_t orig_len = len;
    uint8_t pref_val = 0;

    DEBUG("DHCPv6 client: received ADVERTISE\n");
    if ((len < sizeof(dhcpv6_msg_t)) || !_is_tid((dhcpv6_msg_t *)adv)) {
        DEBUG("DHCPv6 client: packet too small or transaction ID wrong\n");
        return -1;
    }
    len -= sizeof(dhcpv6_msg_t);
    for (dhcpv6_opt_t *opt = (dhcpv6_opt_t *)(&adv[sizeof(dhcpv6_msg_t)]);
         len > 0; len -= _opt_len(opt), opt = _opt_next(opt)) {
        if (len > orig_len) {
            DEBUG("DHCPv6 client: ADVERTISE options overflow packet boundaries\n");
            return -1;
        }

        /* The absence of a size check for the remaining portion of opt */

        /* There should be also size check of remaining opt for each type */
        switch (byteorder_ntohs(opt->type)) {
            case DHCPV6_OPT_CID:
                cid = (dhcpv6_opt_duid_t *)opt;
                break;
            case DHCPV6_OPT_SID:
                sid = (dhcpv6_opt_duid_t *)opt;
                break;
            case DHCPV6_OPT_STATUS:
                status = (dhcpv6_opt_status_t *)opt;
                break;
            case DHCPV6_OPT_PREF:
                pref = (dhcpv6_opt_pref_t *)opt;
                break;
            default:
                break;

    ...
}

Impact

The missing header length check in both _parse_advertise and _preparse_advertise can lead to out-of-bound reads, potentially causing system instability and inconsistency.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2024-52802

Weaknesses

Credits