Validate RA prefix length bounds

FreeRTOS_CreateIPv6Address() uses the RA-supplied prefix length as a
memcpy size: (uxPrefixLength + 7) / 8. With a prefix length > 128,
this exceeds the 16-byte IPv6 address buffer. Validate prefix length
in both vReceiveRA() and FreeRTOS_CreateIPv6Address() before use.

Author: rawalexe

source/FreeRTOS_ND.c

@@ -1342,30 +1342,51 @@
             /* A loopback IP-address has a prefix of 128. */
             configASSERT( ( uxPrefixLength > 0U ) && ( uxPrefixLength <= ( 8U * ipSIZE_OF_IPv6_ADDRESS ) ) );
 
-            if( uxPrefixLength >= 8U )
+            if( ( uxPrefixLength == 0U ) || ( uxPrefixLength > ( 8U * ipSIZE_OF_IPv6_ADDRESS ) ) )
+            {
+                FreeRTOS_printf( ( "Invalid prefix length %u\n",
+                                   ( unsigned ) uxPrefixLength ) );
+                xResult = pdFAIL;
+            }
+            else if( uxPrefixLength >= 8U )
             {
                 ( void ) memcpy( pxIPAddress->ucBytes, pxPrefix->ucBytes, ( uxPrefixLength + 7U ) / 8U );
             }
-
-            pucSource = ( uint8_t * ) pulRandom;
-            uxIndex = uxPrefixLength / 8U;
-
-            if( ( uxPrefixLength % 8U ) != 0U )
+            else
             {
-                /* uxHostLen is between 1 and 7 bits long. */
-                size_t uxHostLen = 8U - ( uxPrefixLength % 8U );
-                uint32_t uxHostMask = ( ( ( uint32_t ) 1U ) << uxHostLen ) - 1U;
-                uint8_t ucNetMask = ( uint8_t ) ~( uxHostMask );
-
-                pxIPAddress->ucBytes[ uxIndex ] &= ucNetMask;
-                pxIPAddress->ucBytes[ uxIndex ] |= ( pucSource[ 0 ] & ( ( uint8_t ) uxHostMask ) );
-                pucSource = &( pucSource[ 1 ] );
-                uxIndex++;
+                /* No bytes to copy for prefix lengths less than 8. */
+                FreeRTOS_printf( ( "Prefix length %u < 8, no full bytes to copy\n",
+                                   ( unsigned ) uxPrefixLength ) );
             }
 
-            if( uxIndex < ipSIZE_OF_IPv6_ADDRESS )
+            if( xResult == pdPASS )
             {
-                ( void ) memcpy( &( pxIPAddress->ucBytes[ uxIndex ] ), pucSource, ipSIZE_OF_IPv6_ADDRESS - uxIndex );
+                pucSource = ( uint8_t * ) pulRandom;
+                uxIndex = uxPrefixLength / 8U;
+
+                /*
+                 * When uxPrefixLength is 128, uxIndex is calculated as 128 / 8 = 16,
+                 * which is past the end of the 16-byte ucBytes array (valid indices 0-15).
+                 * Add bounds check before writing to ucBytes[uxIndex] in the partial-byte
+                 * prefix block.
+                 */
+                if( ( ( uxPrefixLength % 8U ) != 0U ) && ( uxIndex < ipSIZE_OF_IPv6_ADDRESS ) )
+                {
+                    /* uxHostLen is between 1 and 7 bits long. */
+                    size_t uxHostLen = 8U - ( uxPrefixLength % 8U );
+                    uint32_t uxHostMask = ( ( ( uint32_t ) 1U ) << uxHostLen ) - 1U;
+                    uint8_t ucNetMask = ( uint8_t ) ~( uxHostMask );
+
+                    pxIPAddress->ucBytes[ uxIndex ] &= ucNetMask;
+                    pxIPAddress->ucBytes[ uxIndex ] |= ( pucSource[ 0 ] & ( ( uint8_t ) uxHostMask ) );
+                    pucSource = &( pucSource[ 1 ] );
+                    uxIndex++;
+                }
+
+                if( uxIndex < ipSIZE_OF_IPv6_ADDRESS )
+                {
+                    ( void ) memcpy( &( pxIPAddress->ucBytes[ uxIndex ] ), pucSource, ipSIZE_OF_IPv6_ADDRESS - uxIndex );
+                }
             }
         }
 

source/FreeRTOS_RA.c

@@ -424,6 +424,14 @@
                     {
                         if( ( pxEndPoint->bits.bWantRA != pdFALSE_UNSIGNED ) && ( pxEndPoint->xRAData.eRAState == eRAStateWait ) )
                         {
+                            if( ( pxPrefixOption->ucPrefixLength == 0U ) ||
+                                ( pxPrefixOption->ucPrefixLength > ( 8U * ipSIZE_OF_IPv6_ADDRESS ) ) )
+                            {
+                                FreeRTOS_printf( ( "vReceiveRA: The prefix length "
+                                                   "is invalid\n" ) );
+                                break;
+                            }
+
                             pxEndPoint->ipv6_settings.uxPrefixLength = pxPrefixOption->ucPrefixLength;
                             ( void ) memcpy( pxEndPoint->ipv6_settings.xPrefix.ucBytes, pxPrefixOption->ucPrefix, ipSIZE_OF_IPv6_ADDRESS );
                             ( void ) memcpy( pxEndPoint->ipv6_settings.xGatewayAddress.ucBytes, pxICMPPacket->xIPHeader.xSourceAddress.ucBytes, ipSIZE_OF_IPv6_ADDRESS );

test/unit-test/FreeRTOS_RA/FreeRTOS_RA_utest.c

@@ -894,14 +894,14 @@ void test_vReceiveRA_vRAProccess( void )
     pxNetworkBuffer = &xNetworkBuffer;
     pxNetworkBuffer->pucEthernetBuffer = ( uint8_t * ) &xICMPPacket;
     pxNetworkBuffer->pxInterface = &xInterface;
-    pxNetworkBuffer->xDataLength = raHeaderBytesRA + raPrefixOptionlen;
+    pxNetworkBuffer->xDataLength = raHeaderBytesRA + sizeof( ICMPPrefixOption_IPv6_t );
     pxAdvertisement = &xICMPPacket.xAdvertisement;
     pxAdvertisement->usLifetime = pdTRUE_UNSIGNED;
 
     pxPrefixOption = &xICMPPacket.xPrefixOption;
     pxPrefixOption->ucType = ndICMP_PREFIX_INFORMATION;
-    /* Only 1 option */
-    pxPrefixOption->ucLength = 1;
+    pxPrefixOption->ucLength = 4;
+    pxPrefixOption->ucPrefixLength = 64;
 
     pxEndPoint->bits.bWantRA = pdTRUE_UNSIGNED;
 
@@ -931,14 +931,14 @@ void test_vReceiveRA_vRAProcess( void )
     pxNetworkBuffer = &xNetworkBuffer;
     pxNetworkBuffer->pucEthernetBuffer = ( uint8_t * ) &xICMPPacket;
     pxNetworkBuffer->pxInterface = &xInterface;
-    pxNetworkBuffer->xDataLength = raHeaderBytesRA + raPrefixOptionlen;
+    pxNetworkBuffer->xDataLength = raHeaderBytesRA + sizeof( ICMPPrefixOption_IPv6_t );
     pxAdvertisement = &xICMPPacket.xAdvertisement;
     pxAdvertisement->usLifetime = pdTRUE_UNSIGNED;
 
     pxPrefixOption = &xICMPPacket.xPrefixOption;
     pxPrefixOption->ucType = ndICMP_PREFIX_INFORMATION;
-    /* Only 1 option */
-    pxPrefixOption->ucLength = 1;
+    pxPrefixOption->ucLength = 4;
+    pxPrefixOption->ucPrefixLength = 64;
 
 
     pxEndPoint->bits.bWantRA = pdTRUE_UNSIGNED;