From 3c19aa7dfc455443cc140f58d18748a7154aed43 Mon Sep 17 00:00:00 2001
From: Martine Lenders <mail@martine-lenders.eu>
Date: Mon, 15 Apr 2019 15:41:18 +0200
Subject: [PATCH] gnrc_netif_ieee802154: check if mhr_len is lesser than nread

---
 sys/net/gnrc/netif/ieee802154/gnrc_netif_ieee802154.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/sys/net/gnrc/netif/ieee802154/gnrc_netif_ieee802154.c b/sys/net/gnrc/netif/ieee802154/gnrc_netif_ieee802154.c
index 258237c58d..0bb39366bc 100644
--- a/sys/net/gnrc/netif/ieee802154/gnrc_netif_ieee802154.c
+++ b/sys/net/gnrc/netif/ieee802154/gnrc_netif_ieee802154.c
@@ -143,7 +143,9 @@ static gnrc_pktsnip_t *_recv(gnrc_netif_t *netif)
 #endif
             size_t mhr_len = ieee802154_get_frame_hdr_len(pkt->data);
 
-            if (mhr_len == 0) {
+            /* nread was checked for <= 0 before so we can safely cast it to
+             * unsigned */
+            if ((mhr_len == 0) || ((size_t)nread < mhr_len)) {
                 DEBUG("_recv_ieee802154: illegally formatted frame received\n");
                 gnrc_pktbuf_release(pkt);
                 return NULL;