Headline
CVE-2021-32771: Check RPL Target prefix length and buffer boundary. by nvt · Pull Request #1615 · contiki-ng/contiki-ng
Contiki-NG is an open-source, cross-platform operating system for IoT devices. In affected versions it is possible to cause a buffer overflow when copying an IPv6 address prefix in the RPL-Classic implementation in Contiki-NG. In order to trigger the vulnerability, the Contiki-NG system must have joined an RPL DODAG. After that, an attacker can send a DAO packet with a Target option that contains a prefix length larger than 128 bits. The problem was fixed after the release of Contiki-NG 4.7. Users unable to upgrade may apply the patch in Contiki-NG PR #1615.
@@ -744,6 +744,19 @@ dao_input_storing(void) case RPL_OPTION_TARGET: /* Handle the target option. */ prefixlen = buffer[i + 3]; if(prefixlen == 0) { /* Ignore option targets with a prefix length of 0. */ break; } if(prefixlen > 128) { LOG_ERR("Too large target prefix length %d\n", prefixlen); return; } if(i + 4 + ((prefixlen + 7) / CHAR_BIT) > buffer_length) { LOG_ERR("Insufficient space to copy RPL Target of %d bits\n", prefixlen); return; } memset(&prefix, 0, sizeof(prefix)); memcpy(&prefix, buffer + i + 4, (prefixlen + 7) / CHAR_BIT); break; @@ -981,6 +994,19 @@ dao_input_nonstoring(void) case RPL_OPTION_TARGET: /* Handle the target option. */ prefixlen = buffer[i + 3]; if(prefixlen == 0) { /* Ignore option targets with a prefix length of 0. */ break; } if(prefixlen > 128) { LOG_ERR("Too large target prefix length %d\n", prefixlen); return; } if(i + 4 + ((prefixlen + 7) / CHAR_BIT) > buffer_length) { LOG_ERR("Insufficient space to copy RPL Target of %d bits\n", prefixlen); return; } memset(&prefix, 0, sizeof(prefix)); memcpy(&prefix, buffer + i + 4, (prefixlen + 7) / CHAR_BIT); break;