[riot-notifications] [RIOT-OS/RIOT] gnrc_netif_ieee802154: Security issue with malformed headers (#11398)

Steffen Robertz notifications at github.com
Mon Apr 15 15:06:45 CEST 2019


Hi,
I am currently working on writing a netdev driver for a prototype transceiver created at the IAS of RWTH Aachen. Since the transceiver is not working perfectly right now it will also receive noise and send it to RIOT. This setup therefore created a crude fuzzer. 
I noticed that I run in a problem in `gnrc_netif_ieee802154.c` when malformed packets are detected.

`static gnrc_pktsnip_t *_recv(gnrc_netif_t *netif)` will call `nread = dev->driver->recv(dev, pkt->data, bytes_expected, &rx_info);`. Therefore `nread` will contain the amount of bytes read. In my case e.g. 10 bytes. Now `size_t mhr_len = ieee802154_get_frame_hdr_len(pkt->data);` will be called to determine the size of the header by evaluating the FCS bytes. In my case this equaled 21 bytes. The problem then happens when `nread -= mhr_len;` is called. `nread` underflows and `nread` equals now 65525. `od_hex_dump(pkt->data, nread, OD_WIDTH_DEFAULT);` will therefore dump the content of the stack. Further I believe that this might be able to cause a bufferoverflow somewhere in the stack, as the space is only allocated for e.g. 10 bytes and the wrong length will be passed on. However I did not research this any further. 

I believe a check would require to be added in order to make sure the underflow can't happen.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/RIOT-OS/RIOT/issues/11398
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riot-os.org/pipermail/notifications/attachments/20190415/5e50e5f3/attachment.html>


More information about the notifications mailing list