Impact
RIOT-OS contains a network stack with the ability to process 6LoWPAN frames. An attacker can send crafted frames to the device to trigger the usage of an uninitialized object leading to denial of service.
Patches
No public patches are available.
Workarounds
- Disabling fragment forwarding or SFR
For more information
If you have any questions or comments about this advisory:
Bug Details
If SFR is activated the 6LoWPAN stack uses a timer to handle fragment timeouts.
The timer is only initialized once the first fragment with _frag_ack_req is send (source):
if (_frag_ack_req(frag_desc)) {
/* initialize _arq_timer if not yet done */
if (_arq_timer.callback == NULL) {
evtimer_init_msg(&_arq_timer);
}
_sched_arq_timeout(fbuf, fbuf->sfr.arq_timeout);
}
If an error occurs during processing of this frame the timer won't be initialized but is still used (source).
Once the timer event fires it calls the uninitialized function pointer of the event.
Which then results in a crash.
Diff-fusion Reporter
SWW13 Analyst
Scepticz Analyst
Impact
RIOT-OS contains a network stack with the ability to process 6LoWPAN frames. An attacker can send crafted frames to the device to trigger the usage of an uninitialized object leading to denial of service.
Patches
No public patches are available.
Workarounds
For more information
If you have any questions or comments about this advisory:
Bug Details
If SFR is activated the 6LoWPAN stack uses a timer to handle fragment timeouts.
The timer is only initialized once the first fragment with
_frag_ack_reqis send (source):If an error occurs during processing of this frame the timer won't be initialized but is still used (source).
Once the timer event fires it calls the uninitialized function pointer of the event.
Which then results in a crash.