Missing null pointer check in 6LoWPAN IPHC encoding.
While encoding a IPv6 header the data is extracted from the next snippet in the packet source:
gnrc_pktsnip_t *hdr = pkt->next->next;
ipv6_ext_t *ext = hdr->data;
Then the header is removed from the snippet source:
if (!_remove_header(pkt, hdr, ext_len)) {
If all data is consumed by the header the snippet will be removed entirely source:
if (hdr->size > exp_hdr_size) {
hdr = gnrc_pktbuf_mark(hdr, exp_hdr_size,
GNRC_NETTYPE_UNDEF);
if (hdr == NULL) {
DEBUG("6lo iphc: unable to remove compressed header\n");
return false;
}
}
gnrc_pktbuf_remove_snip(pkt, hdr);
The IPv6 header that consumed the snippet can still contain a next header value and thus the firmware tries to encode another header. During encoding the data is again read from the next snippet. If no next snippet exists, e.g. because it was removed, the NULL pointer will be dereferenced.
- If routing is enabled it is possible to get arbitrary packets into IPHC encoding, for details see Reflecting Packets
- A crafted packet can trigger a null pointer dereference, leading to DoS
Check if the next snippet exists.