Skip to content

Commit fce1e38

Browse files
kaspar030MrKevinWeiss
kaspar030
authored and
MrKevinWeiss
committed
Merge pull request from GHSA-xjgw-7638-29g5
gnrc_rpl_srh: check header fields consistency before substraction
1 parent 41e7c28 commit fce1e38

3 files changed

Lines changed: 32 additions & 3 deletions

File tree

sys/net/gnrc/routing/rpl/srh/gnrc_rpl_srh.c

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -74,6 +74,13 @@ int gnrc_rpl_srh_process(ipv6_hdr_t *ipv6, gnrc_rpl_srh_t *rh, void **err_ptr)
7474
uint8_t current_pos, pref_elided, addr_len, compri_addr_len;
7575
const uint8_t new_seg_left = rh->seg_left - 1;
7676

77+
if ((rh->len * 8) < (GNRC_RPL_SRH_PADDING(rh->pad_resv) +
78+
(16 - GNRC_RPL_SRH_COMPRE(rh->compr)))) {
79+
DEBUG("RPL SRH: inconsistent header received\n");
80+
*err_ptr = &rh->len;
81+
return GNRC_IPV6_EXT_RH_ERROR;
82+
}
83+
7784
assert(rh->seg_left > 0);
7885
num_addr = (((rh->len * 8) - GNRC_RPL_SRH_PADDING(rh->pad_resv) -
7986
(16 - GNRC_RPL_SRH_COMPRE(rh->compr))) /

tests/gnrc_rpl_srh/main.c

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -120,6 +120,27 @@ static void test_rpl_srh_route_multicast(void)
120120
TEST_ASSERT_NULL(err_ptr);
121121
}
122122

123+
static void test_rpl_srh_inconsistent_hdr(void)
124+
{
125+
static const ipv6_addr_t dst = IPV6_DST;
126+
gnrc_rpl_srh_t srh;
127+
void *err_ptr;
128+
int res;
129+
130+
memset(&srh, 0, sizeof(srh));
131+
memcpy(&hdr.dst, &dst, sizeof(hdr.dst));
132+
srh.nh = 128U;
133+
srh.len = 0U;
134+
srh.type = 3U;
135+
srh.seg_left = 220U;
136+
srh.compr = 0xc0;
137+
srh.pad_resv = 0xf0;
138+
139+
res = gnrc_rpl_srh_process(&hdr, &srh, &err_ptr);
140+
TEST_ASSERT_EQUAL_INT(res, GNRC_IPV6_EXT_RH_ERROR);
141+
TEST_ASSERT((&srh.len) == err_ptr);
142+
}
143+
123144
static void test_rpl_srh_too_many_seg_left(void)
124145
{
125146
static const ipv6_addr_t a1 = IPV6_ADDR1;
@@ -239,6 +260,7 @@ static void run_unittests(void)
239260
EMB_UNIT_TESTFIXTURES(fixtures) {
240261
new_TestFixture(test_rpl_srh_dst_multicast),
241262
new_TestFixture(test_rpl_srh_route_multicast),
263+
new_TestFixture(test_rpl_srh_inconsistent_hdr),
242264
new_TestFixture(test_rpl_srh_too_many_seg_left),
243265
new_TestFixture(test_rpl_srh_nexthop_no_prefix_elided),
244266
new_TestFixture(test_rpl_srh_nexthop_prefix_elided),

tests/gnrc_rpl_srh/tests-as-root/01-run.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -167,7 +167,7 @@ def test_wrong_type(child, iface, hw_dst, ll_dst, ll_src):
167167
pktbuf_empty(child)
168168

169169

170-
def test_seg_left_gt_len_addresses(child, iface, hw_dst, ll_dst, ll_src):
170+
def test_inconsistent_header(child, iface, hw_dst, ll_dst, ll_src):
171171
# send routing header with no (0) addresses but segleft set to a value
172172
# larger than 0
173173
p = srp1(Ether(dst=hw_dst) / IPv6(dst=ll_dst, src=ll_src) /
@@ -176,7 +176,7 @@ def test_seg_left_gt_len_addresses(child, iface, hw_dst, ll_dst, ll_src):
176176
assert(p is not None)
177177
assert(ICMPv6ParamProblem in p)
178178
assert(p[ICMPv6ParamProblem].code == 0) # erroneous header field encountered
179-
assert(p[ICMPv6ParamProblem].ptr == 43) # segleft field
179+
assert(p[ICMPv6ParamProblem].ptr == 41) # len field
180180
pktbuf_empty(child)
181181

182182

@@ -348,7 +348,7 @@ def run(func):
348348
raise e
349349

350350
run(test_wrong_type)
351-
run(test_seg_left_gt_len_addresses)
351+
run(test_inconsistent_header)
352352
run(test_multicast_dst)
353353
run(test_multicast_addr)
354354
run(test_multiple_addrs_of_mine_uncomp)

0 commit comments

Comments
 (0)