From cfe0143eeca54366e757c49fb555a6cbca97a49c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=B6ren=20Tempel?= <soeren+git@soeren-tempel.net>
Date: Wed, 31 Jan 2018 20:50:07 +0100
Subject: [PATCH] gnrc_netif: Fix out-of-bounds buffer access in ieee802154
 netif

---
 sys/include/net/ieee802154.h               | 2 ++
 sys/net/gnrc/netif/gnrc_netif_ieee802154.c | 5 ++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/sys/include/net/ieee802154.h b/sys/include/net/ieee802154.h
index a11330cd01..bd3f539156 100644
--- a/sys/include/net/ieee802154.h
+++ b/sys/include/net/ieee802154.h
@@ -46,6 +46,8 @@ extern "C" {
  * @{
  */
 #define IEEE802154_MAX_HDR_LEN              (23U)
+#define IEEE802154_MIN_FRAME_LEN            (IEEE802154_FCF_LEN + sizeof(uint8_t))
+
 #define IEEE802154_FCF_LEN                  (2U)
 #define IEEE802154_FCS_LEN                  (2U)
 
diff --git a/sys/net/gnrc/netif/gnrc_netif_ieee802154.c b/sys/net/gnrc/netif/gnrc_netif_ieee802154.c
index e568f66b22..a482c64c11 100644
--- a/sys/net/gnrc/netif/gnrc_netif_ieee802154.c
+++ b/sys/net/gnrc/netif/gnrc_netif_ieee802154.c
@@ -82,7 +82,7 @@ static gnrc_pktsnip_t *_recv(gnrc_netif_t *netif)
     gnrc_pktsnip_t *pkt = NULL;
     int bytes_expected = dev->driver->recv(dev, NULL, 0, NULL);
 
-    if (bytes_expected > 0) {
+    if (bytes_expected >= (int)IEEE802154_MIN_FRAME_LEN) {
         int nread;
 
         pkt = gnrc_pktbuf_add(NULL, NULL, bytes_expected, GNRC_NETTYPE_UNDEF);
@@ -155,6 +155,9 @@ static gnrc_pktsnip_t *_recv(gnrc_netif_t *netif)
 
         DEBUG("_recv_ieee802154: reallocating.\n");
         gnrc_pktbuf_realloc_data(pkt, nread);
+    } else if (bytes_expected > 0) {
+        DEBUG("_recv_ieee802154: received frame is too short\n");
+        dev->driver->recv(dev, NULL, bytes_expected, NULL);
     }
 
     return pkt;
-- 
GitLab