gnrc_netif: Fix out-of-bounds buffer access in ieee802154 netif

sys/include/net/ieee802154.h

@@ -46,6 +46,8 @@ extern "C" {
  * @{
  */
 #define IEEE802154_MAX_HDR_LEN              (23U)
+#define IEEE802154_MIN_FRAME_LEN            (IEEE802154_FCF_LEN + sizeof(uint8_t))
+
 #define IEEE802154_FCF_LEN                  (2U)
 #define IEEE802154_FCS_LEN                  (2U)
 

sys/net/gnrc/netif/gnrc_netif_ieee802154.c

@@ -82,7 +82,7 @@ static gnrc_pktsnip_t *_recv(gnrc_netif_t *netif)
     gnrc_pktsnip_t *pkt = NULL;
     int bytes_expected = dev->driver->recv(dev, NULL, 0, NULL);
 
-    if (bytes_expected > 0) {
+    if (bytes_expected >= (int)IEEE802154_MIN_FRAME_LEN) {
         int nread;
 
         pkt = gnrc_pktbuf_add(NULL, NULL, bytes_expected, GNRC_NETTYPE_UNDEF);
@@ -155,6 +155,9 @@ static gnrc_pktsnip_t *_recv(gnrc_netif_t *netif)
 
         DEBUG("_recv_ieee802154: reallocating.\n");
         gnrc_pktbuf_realloc_data(pkt, nread);
+    } else if (bytes_expected > 0) {
+        DEBUG("_recv_ieee802154: received frame is too short\n");
+        dev->driver->recv(dev, NULL, bytes_expected, NULL);
     }
 
     return pkt;