Summary

Ineffective size check implemented with assert() can lead to buffer overflow in https://github.com/RIOT-OS/RIOT/blob/master/sys/net/link_layer/l2filter/l2filter.c#L47

Details

Assertions are usually compiled out in production builds. If assertions are the only defense against untrusted inputs, the software may be exposed to attacks that utilize the lack of proper input checks. In the l2filter_add() function shown below, addr_len is checked using an assertion and is subsequently used as an argument in a memcpy() call. When assertions are disabled, there would be no size check for addr_len. As a consequence, if an attacker were to provide an addr_len value larger than CONFIG_L2FILTER_ADDR_MAXLEN, they can trigger a buffer overflow and write past the list[i].addr buffer.

Please refer to the snippet below:

typedef struct {
    uint8_t addr[CONFIG_L2FILTER_ADDR_MAXLEN];     /**< link layer address */
    size_t addr_len;                               /**< address length in byte */
} l2filter_t;
...
int l2filter_add(l2filter_t *list, const void *addr, size_t addr_len)
{
    assert(list && addr && (addr_len <= CONFIG_L2FILTER_ADDR_MAXLEN)); // VULNERABLE: addr_len is only check to be <= CONFIG_L2FILTER_ADDR_MAXLEN via assertion

    int res = -ENOMEM;

    for (unsigned i = 0; i < CONFIG_L2FILTER_LISTSIZE; i++) {
        if (list[i].addr_len == 0) {
            list[i].addr_len = addr_len;
            memcpy(list[i].addr, addr, addr_len); // VULNERABLE: if addr_len is larger than CONFIG_L2FILTER_ADDR_MAXLEN, this could lead to a buffer overflow
            res = 0;
            break;
        }
    }

    return res;
}

Impact

If the unchecked input is attacker-controlled, the impact of the buffer overflow can range from a denial of service to arbitrary code execution.