From d7000477d4eaceff77aca8ba0ea65fe2356c3410 Mon Sep 17 00:00:00 2001 From: krzysztof-cabaj Date: Wed, 13 Sep 2023 14:31:35 -0400 Subject: [PATCH 1/4] gnrc/icmpv6: add check for too big icmpv6 packets --- sys/net/gnrc/network_layer/icmpv6/echo/gnrc_icmpv6_echo.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/sys/net/gnrc/network_layer/icmpv6/echo/gnrc_icmpv6_echo.c b/sys/net/gnrc/network_layer/icmpv6/echo/gnrc_icmpv6_echo.c index a6b9003d662e..6c6fe939d488 100644 --- a/sys/net/gnrc/network_layer/icmpv6/echo/gnrc_icmpv6_echo.c +++ b/sys/net/gnrc/network_layer/icmpv6/echo/gnrc_icmpv6_echo.c @@ -150,6 +150,12 @@ int gnrc_icmpv6_echo_send(const gnrc_netif_t *netif, const ipv6_addr_t *addr, ipv6_hdr_t *ipv6; uint8_t *databuf; + /* max IPv6 payload 65535 minus 8 bytes of icmp header = 65527 */ + if (len > (UINT16_MAX - sizeof(icmpv6_hdr_t))) { + DEBUG("error: wrong icmpv6 packet length\n"); + return -EINVAL; + } + pkt = gnrc_icmpv6_echo_build(ICMPV6_ECHO_REQ, id, seq, NULL, len); if (pkt == NULL) { DEBUG("error: packet buffer full\n"); From be7ae5789134918dd1579bf46fb28da7ad7f3952 Mon Sep 17 00:00:00 2001 From: krzysztof-cabaj Date: Sat, 16 Sep 2023 12:20:21 -0400 Subject: [PATCH 2/4] sys/shell/ping: add protection from icmp packet overflow --- sys/shell/cmds/gnrc_icmpv6_echo.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/sys/shell/cmds/gnrc_icmpv6_echo.c b/sys/shell/cmds/gnrc_icmpv6_echo.c index 3c1c3776f68a..acd0295ff762 100644 --- a/sys/shell/cmds/gnrc_icmpv6_echo.c +++ b/sys/shell/cmds/gnrc_icmpv6_echo.c @@ -172,6 +172,7 @@ static int _configure(int argc, char **argv, _ping_data_t *data) { char *cmdname = argv[0]; int res = 1; + int value; /* parse command line arguments */ for (int i = 1; i < argc; i++) { @@ -207,7 +208,13 @@ static int _configure(int argc, char **argv, _ping_data_t *data) /* intentionally falls through */ case 's': if ((++i) < argc) { - data->datalen = atoi(argv[i]); + value = atoi(argv[i]); + + if ((value < 0) || ((unsigned)value > (UINT16_MAX - sizeof(icmpv6_hdr_t)))) { + printf("ICMPv6 datagram size should be in range 0-65527.\n"); + return -1; + } + data->datalen = value; continue; } /* intentionally falls through */ From 838e62ca9f56ee86cffa13ea90e1be79d838253e Mon Sep 17 00:00:00 2001 From: krzysztof-cabaj Date: Wed, 20 Sep 2023 09:24:09 -0400 Subject: [PATCH 3/4] examples/gcoap: revert PR #19933 --- examples/gcoap/Makefile.ci | 1 - 1 file changed, 1 deletion(-) diff --git a/examples/gcoap/Makefile.ci b/examples/gcoap/Makefile.ci index 6265e67dd2b1..c5bf7d66f78f 100644 --- a/examples/gcoap/Makefile.ci +++ b/examples/gcoap/Makefile.ci @@ -25,7 +25,6 @@ BOARD_INSUFFICIENT_MEMORY := \ olimex-msp430-h1611 \ olimex-msp430-h2618 \ samd10-xmini \ - saml11-xpro \ slstk3400a \ stk3200 \ stm32f030f4-demo \ From a958fa2baf1a4a9f5bb551f92500838827759f09 Mon Sep 17 00:00:00 2001 From: krzysztof-cabaj Date: Wed, 20 Sep 2023 14:15:57 -0400 Subject: [PATCH 4/4] sys/shell/ping: reduce text to save ROM --- sys/shell/cmds/gnrc_icmpv6_echo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sys/shell/cmds/gnrc_icmpv6_echo.c b/sys/shell/cmds/gnrc_icmpv6_echo.c index acd0295ff762..c7dfd735673f 100644 --- a/sys/shell/cmds/gnrc_icmpv6_echo.c +++ b/sys/shell/cmds/gnrc_icmpv6_echo.c @@ -211,7 +211,7 @@ static int _configure(int argc, char **argv, _ping_data_t *data) value = atoi(argv[i]); if ((value < 0) || ((unsigned)value > (UINT16_MAX - sizeof(icmpv6_hdr_t)))) { - printf("ICMPv6 datagram size should be in range 0-65527.\n"); + printf("ping size should be in range 0-65527.\n"); return -1; } data->datalen = value;