Impact

RIOT-OS contains a network stack with the ability to process 6LoWPAN frames. An attacker can send a crafted frame which is forwarded by the device. During encoding of the packet a NULL pointer dereference occurs. This crashes the device leading to denial of service.

Patches

None

Workarounds

• None

For more information

If you have any questions or comments about this advisory:

• Open an issue in RIOT
• Email us at RIOT-security

Bug Details

The function _iphc_encode checks if the next header exists (source):

    if (pkt->next->next == NULL) {
        DEBUG("6lo iphc: packet next header missing data");
        gnrc_pktbuf_release(dispatch);
        return NULL;
    }

If the next header is an encapsulated IPv6 header _nhc_ipv6_encode_snip will be called (source):

    case PROTNUM_IPV6: {    /* encapsulated IPv6 header */
        local_pos = _nhc_ipv6_encode_snip(pkt, netif_hdr, iface,
                                          &iphc_hdr[inline_pos], &nh);
        break;
    }

The function extracts the header (source):

    gnrc_pktsnip_t *hdr = pkt->next->next;

The header is then passed to _iphc_ipv6_encode (source):

    tmp = (ssize_t)_iphc_ipv6_encode(hdr, netif_hdr, iface, &nhc_data[nhc_len]);

This function tries to access the actual IPv6 header (source):

    ipv6_hdr_t *ipv6_hdr = pkt->next->data;

But it is not checked if the packet actually contains a next snippet and thus next might be NULL and the usage of ->data will result in a NULL pointer dereference.