Open nmeum opened 3 years ago
Hmm, splitting the validation from the actual parsing seemed sensible back then (to optionally reduce ROM usage). But as the checking gets more complicated now, I think of completely removing the "optional validation" and make it mandatory to have a single processing loop.
Yeah, I think that would be wise.
Any progress on this? Let me know if I can be of assistance :)
Any progress on this? Let me know if I can be of assistance :)
I couldn't find the time to further look into it .. if you want to give it a try then I'd appreciate this :)
Description
The implementation of
_parse_options
ingnrc_rpl
has a problem very similar to the one described in #16062: It casts packed structs without performing prior boundary checks. I think the loop code is in fact more or less a copy of the one ingnrc_rpl_validation_options
, thus a fix very similar to #16081 will be needed for it too.Consider for example the following code:
https://github.com/RIOT-OS/RIOT/blob/896e44cf931132801c1c6b18a3194ac44504dd24/sys/net/gnrc/routing/rpl/gnrc_rpl_control_messages.c#L619
In this case it might be the case that
len < sizeof(gnrc_rpl_opt_target_t)
, however this case is not covered by the implementation currently. There are also other casts to packed structs in this function which have the same issue.Steps to reproduce the issue
Use
examples/gnrc_networking
, activategnrc_pktbuf_malloc
and setCONFIG_GNRC_RPL_DEFAULT_NETIF
to your netif (check withifconfig
in the shell provided bygnrc_networking
) mine is6
:I was also a bit too lazy to figure out how I can add an ULA to a
BOARD=native
network interface, to work around that I just made sure thatgnrc_rpl
uses the first available networking interface for DODAGs with the following patch (if you know how to configure a non-local address on aBOARD=native
network interface please let me know):Note: If you don't want to apply this patch, it should also be possible to reproduce this issue by adding a non-local IPv6 address to your network interface and passing that address to the
rpl root
command below.Compile and run the application using:
In the RIOT term initialize the RPL root instance with the following command (the address passed to
rpl root
doesn't matter due to the patch from above):Afterwards run
socat
as:Expected results
The application shouldn't crash.
Actual results
CC: @cgundogan