RIOT icon indicating copy to clipboard operation
RIOT copied to clipboard
verified publisher icon RIOT-OS

drivers/slipdev: fix off-by-one error in _recv()

Open benpicco opened this issue 3 years ago • 4 comments

Contribution description

If the number of written bytes is greater than the length of the buffer, we have already written out-of bounds memory.

With pktbuf this means we will likely have corrupted the next free list entry.

Testing procedure

Issues/PRs references

benpicco avatar Jun 18 '22 08:06 benpicco

Agreeing with @kfessel.

miri64 avatar Jun 21 '22 07:06 miri64

Like this?

btw what's up with that _recv function? Why does it have a special case to drop len bytes if buf is NULL? This is the only driver I'm aware of that does that, and I can't think of a use case for when this would be useful.

benpicco avatar Jun 22 '22 22:06 benpicco

Hm a

sudo ping -A ff02::1%sl0

still kills it

benpicco avatar Jun 22 '22 23:06 benpicco

Ah the adaptive ping issue is unrelated. I was testing this on a nrf52840dk with examples/gnrc_border_router, so gnrc_netif_pktq is used

> ping ff02::1
error: packet buffer full
error: packet buffer full
error: packet buffer full

-> #17924

benpicco avatar Jun 23 '22 13:06 benpicco

closed in favor of #18826

benpicco avatar Nov 01 '22 09:11 benpicco