CVE-2023-24820: gnrc_sixlowpan: Various hardening fixes [backport 2022.10] by miri64 · Pull Request #18820 · RIOT-OS/RIOT

@@ -760,8 +760,9 @@ void gnrc_sixlowpan_iphc_recv(gnrc_pktsnip_t *sixlo, void *rbuf_ptr, iface = gnrc_netif_hdr_get_netif(netif->data); payload_offset = _iphc_ipv6_decode(iphc_hdr, netif->data, iface, ipv6->data); if (payload_offset == 0) { /* unable to parse IPHC header */ if ((payload_offset == 0) || (payload_offset > sixlo->size)) { /* unable to parse IPHC header or malicious packet */ DEBUG(“6lo iphc: malformed IPHC header\n”); _recv_error_release(sixlo, ipv6, rbuf); return; } @@ -781,7 +782,9 @@ void gnrc_sixlowpan_iphc_recv(gnrc_pktsnip_t *sixlo, void *rbuf_ptr, &prev_nh_offset, ipv6, &uncomp_hdr_len); if (payload_offset == 0) { if ((payload_offset == 0) || (payload_offset > sixlo->size)) { /* unable to parse IPHC header or malicious packet */ DEBUG(“6lo iphc: malformed IPHC NHC IPv6 header\n”); _recv_error_release(sixlo, ipv6, rbuf); return; } @@ -796,7 +799,9 @@ void gnrc_sixlowpan_iphc_recv(gnrc_pktsnip_t *sixlo, void *rbuf_ptr, prev_nh_offset, ipv6, &uncomp_hdr_len); if (payload_offset == 0) { if ((payload_offset == 0) || (payload_offset > sixlo->size)) { /* unable to parse IPHC header or malicious packet */ DEBUG(“6lo iphc: malformed IPHC NHC IPv6 header\n”); _recv_error_release(sixlo, ipv6, rbuf); return; } @@ -898,9 +903,11 @@ void gnrc_sixlowpan_iphc_recv(gnrc_pktsnip_t *sixlo, void *rbuf_ptr, /* re-assign IPv6 header in case realloc changed the address */ ipv6_hdr = ipv6->data; ipv6_hdr->len = byteorder_htons(payload_len); memcpy(((uint8_t *)ipv6->data) + uncomp_hdr_len, ((uint8_t *)sixlo->data) + payload_offset, sixlo->size - payload_offset); if (sixlo->size > payload_offset) { memcpy(((uint8_t *)ipv6->data) + uncomp_hdr_len, ((uint8_t *)sixlo->data) + payload_offset, sixlo->size - payload_offset); } if (rbuf != NULL) { rbuf->super.current_size += (uncomp_hdr_len - payload_offset); #ifdef MODULE_GNRC_SIXLOWPAN_FRAG_VRB