Skip to content

Missing dhcpv6_opt_t minimum header length check

High
miri64 published GHSA-xgv3-pcq6-qmrg Nov 22, 2024

Package

RIOT-OS (RIOT-OS)

Affected versions

<=2024.04

Patched versions

None

Description

Summary

In the function _parse_advertise in /sys/net/application_layer/dhcpv6/client.c, the absence of minimum header length check for dhcpv6_opt_t could result in an out-of-bound read during the preparse and parse phase.

Details

In the function _parse_advertise, located in /sys/net/application_layer/dhcpv6/client.c, there is no minimum header length check for dhcpv6_opt_t after processing dhcpv6_msg_t. This omission could lead to an out-of-bound read, causing system inconsistency.

Additionally, the same lack of a header length check is present in the function _preparse_advertise, which is called by _parse_advertise before handling the request.

static int _preparse_advertise(uint8_t *adv, size_t len, uint8_t **buf)
{
    dhcpv6_opt_duid_t *cid = NULL, *sid = NULL;
    dhcpv6_opt_pref_t *pref = NULL;
    dhcpv6_opt_status_t *status = NULL;
    size_t orig_len = len;
    uint8_t pref_val = 0;

    DEBUG("DHCPv6 client: received ADVERTISE\n");
    if ((len < sizeof(dhcpv6_msg_t)) || !_is_tid((dhcpv6_msg_t *)adv)) {
        DEBUG("DHCPv6 client: packet too small or transaction ID wrong\n");
        return -1;
    }
    len -= sizeof(dhcpv6_msg_t);
    for (dhcpv6_opt_t *opt = (dhcpv6_opt_t *)(&adv[sizeof(dhcpv6_msg_t)]);
         len > 0; len -= _opt_len(opt), opt = _opt_next(opt)) {
        if (len > orig_len) {
            DEBUG("DHCPv6 client: ADVERTISE options overflow packet boundaries\n");
            return -1;
        }

        /* The absence of a size check for the remaining portion of opt */

        /* There should be also size check of remaining opt for each type */
        switch (byteorder_ntohs(opt->type)) {
            case DHCPV6_OPT_CID:
                cid = (dhcpv6_opt_duid_t *)opt;
                break;
            case DHCPV6_OPT_SID:
                sid = (dhcpv6_opt_duid_t *)opt;
                break;
            case DHCPV6_OPT_STATUS:
                status = (dhcpv6_opt_status_t *)opt;
                break;
            case DHCPV6_OPT_PREF:
                pref = (dhcpv6_opt_pref_t *)opt;
                break;
            default:
                break;

    ...
}

Impact

The missing header length check in both _parse_advertise and _preparse_advertise can lead to out-of-bound reads, potentially causing system instability and inconsistency.

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE ID

CVE-2024-52802

Weaknesses

Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. Learn more on MITRE.

Out-of-bounds Read

The product reads data past the end, or before the beginning, of the intended buffer. Learn more on MITRE.

Credits