Integer underflow in _6lo_frag_size.
sys/net/gnrc/network_layer/sixlowpan/frag/rb/gnrc_sixlowpan_frag_rb.c:234
In _6lo_frag_size the fragment size is calculated as frag_size = pkt->size - sizeof(sixlowpan_frag_n_t); source.
sizeof(sixlowpan_frag_n_t) is 4 bytes but pkt->size can be less resulting in an integer underflow.
_rbuf_add later uses this value as size argument for memcpy source.
- A large OOB memcpy is started in the packet buffer, resulting in a crash once the end of memory is reached
- A manipulated packet can lead to DoS
- Based on timing (context switch during memcpy operation) and board RAM (>64kB of RAM), corruption might be exploitable to RCE
Check that fragmented packets are at least sizeof(sixlowpan_frag_n_t) bytes large.