Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

security fixes [backport 2023.04] #19497

Merged
merged 3 commits into from
Apr 24, 2023
Merged

security fixes [backport 2023.04] #19497

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
89918d5
Merge pull request from GHSA-xqm8-xj74-fjw2
kaspar030 Apr 21, 2023
41e7c28
Merge pull request from GHSA-xfj4-9g7w-f4gh
kaspar030 Apr 21, 2023
fce1e38
Merge pull request from GHSA-xjgw-7638-29g5
kaspar030 Apr 21, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions sys/net/gnrc/network_layer/sixlowpan/frag/sfr/gnrc_sixlowpan_frag_sfr.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -309,6 +309,10 @@ static int _forward_rfrag(gnrc_pktsnip_t *pkt, _generic_rb_entry_t *entry,
/* ====== PUBLIC FUNCTION DEFINITIONS ====== */
void gnrc_sixlowpan_frag_sfr_init(void)
{
/* initialize _arq_timer if not yet done */
if (_arq_timer.callback == NULL) {
evtimer_init_msg(&_arq_timer);
}
if (gnrc_sixlowpan_frag_sfr_congure_snd_has_inter_frame_gap()) {
for (unsigned i = 0; i < FRAME_QUEUE_POOL_SIZE; i++) {
clist_rpush(&_frame_queue_free, &_frame_queue_pool[i].super);
Expand Down Expand Up @@ -397,10 +401,6 @@ void gnrc_sixlowpan_frag_sfr_send(gnrc_pktsnip_t *pkt, void *ctx,
_frag_seq(frag_desc), _frag_size(frag_desc),
frag_desc->offset);
if (_frag_ack_req(frag_desc)) {
/* initialize _arq_timer if not yet done */
if (_arq_timer.callback == NULL) {
evtimer_init_msg(&_arq_timer);
}
_sched_arq_timeout(fbuf, fbuf->sfr.arq_timeout);
}

Expand Down
8 changes: 8 additions & 0 deletions sys/net/gnrc/network_layer/sixlowpan/iphc/gnrc_sixlowpan_iphc.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -734,6 +734,14 @@ void gnrc_sixlowpan_iphc_recv(gnrc_pktsnip_t *sixlo, void *rbuf_ptr,
gnrc_sixlowpan_frag_vrb_t *vrbe = NULL;
#endif /* MODULE_GNRC_SIXLOWPAN_FRAG_VRB */

if (sixlo->size < 2U) {
DEBUG("6lo iphc: IPHC header truncated\n");
if (rbuf != NULL) {
gnrc_sixlowpan_frag_rb_remove(rbuf);
}
gnrc_pktbuf_release(sixlo);
return;
}
if (rbuf != NULL) {
ipv6 = rbuf->pkt;
assert(ipv6 != NULL);
Expand Down
7 changes: 7 additions & 0 deletions sys/net/gnrc/routing/rpl/srh/gnrc_rpl_srh.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,13 @@ int gnrc_rpl_srh_process(ipv6_hdr_t *ipv6, gnrc_rpl_srh_t *rh, void **err_ptr)
uint8_t current_pos, pref_elided, addr_len, compri_addr_len;
const uint8_t new_seg_left = rh->seg_left - 1;

if ((rh->len * 8) < (GNRC_RPL_SRH_PADDING(rh->pad_resv) +
(16 - GNRC_RPL_SRH_COMPRE(rh->compr)))) {
DEBUG("RPL SRH: inconsistent header received\n");
*err_ptr = &rh->len;
return GNRC_IPV6_EXT_RH_ERROR;
}

assert(rh->seg_left > 0);
num_addr = (((rh->len * 8) - GNRC_RPL_SRH_PADDING(rh->pad_resv) -
(16 - GNRC_RPL_SRH_COMPRE(rh->compr))) /
Expand Down
22 changes: 22 additions & 0 deletions tests/gnrc_rpl_srh/main.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,27 @@ static void test_rpl_srh_route_multicast(void)
TEST_ASSERT_NULL(err_ptr);
}

static void test_rpl_srh_inconsistent_hdr(void)
{
static const ipv6_addr_t dst = IPV6_DST;
gnrc_rpl_srh_t srh;
void *err_ptr;
int res;

memset(&srh, 0, sizeof(srh));
memcpy(&hdr.dst, &dst, sizeof(hdr.dst));
srh.nh = 128U;
srh.len = 0U;
srh.type = 3U;
srh.seg_left = 220U;
srh.compr = 0xc0;
srh.pad_resv = 0xf0;

res = gnrc_rpl_srh_process(&hdr, &srh, &err_ptr);
TEST_ASSERT_EQUAL_INT(res, GNRC_IPV6_EXT_RH_ERROR);
TEST_ASSERT((&srh.len) == err_ptr);
}

static void test_rpl_srh_too_many_seg_left(void)
{
static const ipv6_addr_t a1 = IPV6_ADDR1;
Expand Down Expand Up @@ -239,6 +260,7 @@ static void run_unittests(void)
EMB_UNIT_TESTFIXTURES(fixtures) {
new_TestFixture(test_rpl_srh_dst_multicast),
new_TestFixture(test_rpl_srh_route_multicast),
new_TestFixture(test_rpl_srh_inconsistent_hdr),
new_TestFixture(test_rpl_srh_too_many_seg_left),
new_TestFixture(test_rpl_srh_nexthop_no_prefix_elided),
new_TestFixture(test_rpl_srh_nexthop_prefix_elided),
Expand Down
6 changes: 3 additions & 3 deletions tests/gnrc_rpl_srh/tests-as-root/01-run.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -167,7 +167,7 @@ def test_wrong_type(child, iface, hw_dst, ll_dst, ll_src):
pktbuf_empty(child)


def test_seg_left_gt_len_addresses(child, iface, hw_dst, ll_dst, ll_src):
def test_inconsistent_header(child, iface, hw_dst, ll_dst, ll_src):
# send routing header with no (0) addresses but segleft set to a value
# larger than 0
p = srp1(Ether(dst=hw_dst) / IPv6(dst=ll_dst, src=ll_src) /
Expand All @@ -176,7 +176,7 @@ def test_seg_left_gt_len_addresses(child, iface, hw_dst, ll_dst, ll_src):
assert(p is not None)
assert(ICMPv6ParamProblem in p)
assert(p[ICMPv6ParamProblem].code == 0) # erroneous header field encountered
assert(p[ICMPv6ParamProblem].ptr == 43) # segleft field
assert(p[ICMPv6ParamProblem].ptr == 41) # len field
pktbuf_empty(child)


Expand Down Expand Up @@ -348,7 +348,7 @@ def run(func):
raise e

run(test_wrong_type)
run(test_seg_left_gt_len_addresses)
run(test_inconsistent_header)
run(test_multicast_dst)
run(test_multicast_addr)
run(test_multiple_addrs_of_mine_uncomp)
Expand Down