Validate PREFIX_INFORMATION option size in RA

rawalexe · archigup · commit 5ed13a2e061a · 2026-04-22T15:31:53.000-07:00
In vReceiveRA_ReadReply(), the parser casts RA option bytes to
ICMPPrefixOption_IPv6_t * without verifying the option length is at
least sizeof(ICMPPrefixOption_IPv6_t). A truncated option causes an
out-of-bounds read when accessing prefix fields. Validate option length
before the cast.
diff --git a/source/FreeRTOS_RA.c b/source/FreeRTOS_RA.c
@@ -276,6 +276,7 @@
         const size_t uxLast = pxNetworkBuffer->xDataLength - uxNeededSize;
         uint8_t * pucBytes = &( pxNetworkBuffer->pucEthernetBuffer[ uxNeededSize ] );
         ICMPPrefixOption_IPv6_t * pxPrefixOption = NULL;
+        BaseType_t xMalformed = pdFALSE;
 
         while( ( uxIndex + 1U ) < uxLast )
         {
@@ -312,16 +313,29 @@
                     break;
 
                 case ndICMP_PREFIX_INFORMATION: /* 3 */
-                    /* MISRA Ref 11.3.1 [Misaligned access] */
-                    /* More details at: https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/blob/main/MISRA.md#rule-113 */
-                    /* coverity[misra_c_2012_rule_11_3_violation] */
-                    pxPrefixOption = ( ( ICMPPrefixOption_IPv6_t * ) &( pucBytes[ uxIndex ] ) );
-
-                    FreeRTOS_printf( ( "RA: Prefix len %d Life %u, %u (%pip)\n",
-                                       pxPrefixOption->ucPrefixLength,
-                                       ( unsigned ) FreeRTOS_ntohl( pxPrefixOption->ulValidLifeTime ),
-                                       ( unsigned ) FreeRTOS_ntohl( pxPrefixOption->ulPreferredLifeTime ),
-                                       ( void * ) pxPrefixOption->ucPrefix ) );
+
+                    if( uxLength < sizeof( ICMPPrefixOption_IPv6_t ) )
+                    {
+                        FreeRTOS_printf(
+                            ( "RA: Prefix option too short ( %u < %u )\n",
+                              ( unsigned ) uxLength,
+                              ( unsigned ) sizeof( ICMPPrefixOption_IPv6_t ) ) );
+                        xMalformed = pdTRUE;
+                    }
+                    else
+                    {
+                        /* MISRA Ref 11.3.1 [Misaligned access] */
+                        /* More details at: https://github.com/FreeRTOS/FreeRTOS-Plus-TCP/blob/main/MISRA.md#rule-113 */
+                        /* coverity[misra_c_2012_rule_11_3_violation] */
+                        pxPrefixOption = ( ( ICMPPrefixOption_IPv6_t * ) &( pucBytes[ uxIndex ] ) );
+
+                        FreeRTOS_printf( ( "RA: Prefix len %d Life %u, %u (%pip)\n",
+                                           pxPrefixOption->ucPrefixLength,
+                                           ( unsigned ) FreeRTOS_ntohl( pxPrefixOption->ulValidLifeTime ),
+                                           ( unsigned ) FreeRTOS_ntohl( pxPrefixOption->ulPreferredLifeTime ),
+                                           ( void * ) pxPrefixOption->ucPrefix ) );
+                    }
+
                     break;
 
                 case ndICMP_REDIRECTED_HEADER: /* 4 */
@@ -345,6 +359,12 @@
                     break;
             }
 
+            if( xMalformed != pdFALSE )
+            {
+                FreeRTOS_printf( ( "RA: Malformed packet.\n" ) );
+                break;
+            }
+
             uxIndex = uxIndex + uxLength;
         } /* while( ( uxIndex + 1 ) < uxLast ) */
 
