From 9728f727e75d7d78dbfb5918e0de1b938b7b6d2c Mon Sep 17 00:00:00 2001 From: Martine Lenders Date: Fri, 23 Sep 2022 12:07:56 +0200 Subject: [PATCH] gnrc_sixlowpan_frag_rb: fix integer underflow in _6lo_frag_size() --- .../sixlowpan/frag/rb/gnrc_sixlowpan_frag_rb.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/sys/net/gnrc/network_layer/sixlowpan/frag/rb/gnrc_sixlowpan_frag_rb.c b/sys/net/gnrc/network_layer/sixlowpan/frag/rb/gnrc_sixlowpan_frag_rb.c index 97fa3cd2fd..d406f60576 100644 --- a/sys/net/gnrc/network_layer/sixlowpan/frag/rb/gnrc_sixlowpan_frag_rb.c +++ b/sys/net/gnrc/network_layer/sixlowpan/frag/rb/gnrc_sixlowpan_frag_rb.c @@ -236,6 +236,9 @@ static size_t _6lo_frag_size(gnrc_pktsnip_t *pkt, size_t offset, uint8_t *data) size_t frag_size; if (offset == 0) { + if (pkt->size < sizeof(sixlowpan_frag_t)) { + return 0; + } frag_size = pkt->size - sizeof(sixlowpan_frag_t); if (data[0] == SIXLOWPAN_UNCOMP) { /* subtract SIXLOWPAN_UNCOMP byte from fragment size, @@ -244,6 +247,9 @@ static size_t _6lo_frag_size(gnrc_pktsnip_t *pkt, size_t offset, uint8_t *data) } } else { + if (pkt->size < sizeof(sixlowpan_frag_n_t)) { + return 0; + } frag_size = pkt->size - sizeof(sixlowpan_frag_n_t); } return frag_size; @@ -306,6 +312,11 @@ static int _rbuf_add(gnrc_netif_hdr_t *netif_hdr, gnrc_pktsnip_t *pkt, if (IS_USED(MODULE_GNRC_SIXLOWPAN_FRAG) && sixlowpan_frag_is(pkt->data)) { data = _6lo_frag_payload(pkt); frag_size = _6lo_frag_size(pkt, offset, data); + if (frag_size == 0) { + DEBUG("6lo rbuf: integer underflow detected.\n"); + gnrc_pktbuf_release(pkt); + return RBUF_ADD_ERROR; + } datagram_size = sixlowpan_frag_datagram_size(pkt->data); datagram_tag = sixlowpan_frag_datagram_tag(pkt->data); }