RPL: prevent unintended memory access (rpl_remove_header)

When it goes to the default label in the switch statement of rpl_remove_header(), UIP_EXT_BUF does not always point to an IPv6 extension header. "Move to next header" process should be done only in case of UIP_PROTO_DESTO. Otherwise, it returns with doing nothing.
2016-06-27 20:57:48 +02:00 · 2016-06-27 20:57:48 +02:00 · 5a79bad4b1
parent e361c49f14
commit 5a79bad4b1
1 changed files with 11 additions and 7 deletions
--- a/core/net/rpl/rpl-ext-header.c
+++ b/core/net/rpl/rpl-ext-header.c
@ -655,11 +655,6 @@ rpl_remove_header(void)
  /* Look for hop-by-hop and routing headers */
  while(uip_next_hdr != NULL) {
    switch(*uip_next_hdr) {
-      case UIP_PROTO_TCP:
-      case UIP_PROTO_UDP:
-      case UIP_PROTO_ICMP6:
-      case UIP_PROTO_NONE:
-        return;
      case UIP_PROTO_HBHO:
      case UIP_PROTO_ROUTING:
        /* Remove hop-by-hop and routing headers */
@ -674,13 +669,22 @@ rpl_remove_header(void)
        PRINTF("RPL: Removing RPL extension header (type %u, len %u)\n", *uip_next_hdr, rpl_ext_hdr_len);
        memmove(UIP_EXT_BUF, ((uint8_t *)UIP_EXT_BUF) + rpl_ext_hdr_len, uip_len - UIP_IPH_LEN);
        break;
-      default:
+      case UIP_PROTO_DESTO:
+        /*
+         * As per RFC 2460, any header other than the Destination
+         * Options header does not appear between the Hop-by-Hop
+         * Options header and the Routing header.
+         *
+         * We're moving to the next header only if uip_next_hdr has
+         * UIP_PROTO_DESTO. Otherwise, we'll return.
+         */
        /* Move to next header */
        if(uip_next_hdr != &UIP_IP_BUF->proto) {
          uip_ext_len += (UIP_EXT_BUF->len << 3) + 8;
        }
        uip_next_hdr = &UIP_EXT_BUF->next;
-        break;
+    default:
+      return;
    }
  }
 }