Impact

RIOT-OS contains a network stack with the ability to process 6LoWPAN frames. An attacker can send a crafted frame to the device resulting in a NULL pointer dereference while encoding a 6LoWPAN IPHC header. The NULL pointer dereference causes a hard fault exception leading to denial of service.

Patches

• master
• 2022.10

Workarounds

• Backport the patches listed above

For more information

If you have any questions or comments about this advisory:

• Open an issue in RIOT
• Email us at RIOT-security

Bug Details

While encoding an IPv6 header the data is extracted from the next snippet in the packet (source):

    gnrc_pktsnip_t *hdr = pkt->next->next;
    ipv6_ext_t *ext = hdr->data;

Then the header is removed from the snippet (source):

    if (!_remove_header(pkt, hdr, ext_len)) {

If all data is consumed by the header the snippet will be removed entirely (source):

    if (hdr->size > exp_hdr_size) {
        hdr = gnrc_pktbuf_mark(hdr, exp_hdr_size,
                               GNRC_NETTYPE_UNDEF);

        if (hdr == NULL) {
            DEBUG("6lo iphc: unable to remove compressed header\n");
            return false;
        }
    }
    gnrc_pktbuf_remove_snip(pkt, hdr);

The IPv6 header that consumed the snippet can still contain a next header value and thus the firmware tries to encode another header.
During encoding the data is again read from the next snippet.
If no next snippet exists, e.g. because it was removed, the NULL pointer will be dereferenced.