[riot-notifications] [RIOT-OS/RIOT] gnrc_netif_ieee802154: Security issue with malformed headers (#11398)

Martine Lenders notifications at github.com
Mon Apr 15 18:04:48 CEST 2019


> `od_hex_dump(pkt->data, nread, OD_WIDTH_DEFAULT);` will therefore dump the content of the stack.

Since this is only true with `ENABLE_DEBUG` in `gnrc_netif_ieee802154.c`. I see can confirm that this is a bug (and that's why I fixed it), but I don't see the security risk since ENABLE_DEBUG must be explicitly set within the file by the developer:

https://github.com/RIOT-OS/RIOT/blob/245a499f89ecb9095857500c79e0d4880805d060/sys/net/gnrc/netif/ieee802154/gnrc_netif_ieee802154.c#L24-L25

Due to a missing check here 

https://github.com/RIOT-OS/RIOT/blob/245a499f89ecb9095857500c79e0d4880805d060/sys/net/gnrc/netif/ieee802154/gnrc_netif_ieee802154.c#L211 

(which is the only place where `nread` is used after the missing check) the only "dangerous" thing is that the upper layer is receiving some bogus data from the packet buffer instead of the packet being ignored, as the `gnrc_pktbuf_realloc_data()` is erroring due to a very large size provided, but the error isn't checked (since we expected `nread` to be lesser or equal to `pkt->size` which with the fix is now the case again) so the packet is given un-realloced to the upper layer.

Have a look at my test case in #11401 for further reference.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/RIOT-OS/RIOT/issues/11398#issuecomment-483315221
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riot-os.org/pipermail/notifications/attachments/20190415/7f2218cc/attachment.html>


More information about the notifications mailing list