Headline
CVE-2023-33973: NULL pointer dereference during NHC encoding
RIOT-OS, an operating system for Internet of Things (IoT) devices, contains a network stack with the ability to process 6LoWPAN frames. In versions 2023.01 and prior, an attacker can send a crafted frame which is forwarded by the device. During encoding of the packet a NULL pointer dereference occurs. This crashes the device leading to denial of service. A patch is available at pull request 19678. There are no known workarounds.
Affected versions
<= 2023.01
Impact
RIOT-OS contains a network stack with the ability to process 6LoWPAN frames. An attacker can send a crafted frame which is forwarded by the device. During encoding of the packet a NULL pointer dereference occurs. This crashes the device leading to denial of service.
Patches
None
Workarounds
- None
For more information
If you have any questions or comments about this advisory:
- Open an issue in RIOT
- Email us at RIOT-security
Bug Details
The function _iphc_encode checks if the next header exists (source):
if (pkt->next->next == NULL) {
DEBUG("6lo iphc: packet next header missing data");
gnrc_pktbuf_release(dispatch);
return NULL;
}
If the next header is an encapsulated IPv6 header _nhc_ipv6_encode_snip will be called (source):
case PROTNUM_IPV6: { /* encapsulated IPv6 header */
local_pos = _nhc_ipv6_encode_snip(pkt, netif_hdr, iface,
&iphc_hdr[inline_pos], &nh);
break;
}
The function extracts the header (source):
gnrc_pktsnip_t *hdr = pkt->next->next;
The header is then passed to _iphc_ipv6_encode (source):
tmp = (ssize_t)_iphc_ipv6_encode(hdr, netif_hdr, iface, &nhc_data[nhc_len]);
This function tries to access the actual IPv6 header (source):
ipv6_hdr_t *ipv6_hdr = pkt->next->data;
But it is not checked if the packet actually contains a next snippet and thus next might be NULL and the usage of ->data will result in a NULL pointer dereference.