Fix CWE-126/476/822: IPv6 buffer validation and bounds checking

- Fix missing NULL pointer checks in FreeRTOS_ND.c
- Add ICMPv6 minimum packet size validation
- Move IPv6 version field check after buffer validation
- Fix integer wrap-around in IPv6 payload length processing
- Add unit test coverage
- MISRA compliance fixes

Cherry-picked from PR FreeRTOS#1296 (V4.3.4):
  3fabc55 Initial version with UTs fixed
  55705f0 Fix missing check for IPv6 version field in header
  5af6088 Fix integer wrap around with IPv6 payload length field processing
  442dda7 Fix coverage and spell check
  e659f7f Minor fix
  c8f8926 Fix formatting
  b679d2b Fix MISRA issues

Author: tony-josi-aws

source/FreeRTOS_IPv6.c

@@ -93,7 +93,6 @@ const struct xIPv6_Address FreeRTOS_in6addr_loopback = { { 0U, 0U, 0U, 0U, 0U, 0
                                             size_t uxBufferLength )
     {
         BaseType_t xResult = pdFAIL;
-        uint16_t ucVersionTrafficClass;
         uint16_t usPayloadLength;
         uint8_t ucNextHeader;
         size_t uxMinimumLength;
@@ -116,15 +115,6 @@ const struct xIPv6_Address FreeRTOS_in6addr_loopback = { { 0U, 0U, 0U, 0U, 0U, 0
                 break;
             }
 
-            ucVersionTrafficClass = pxIPv6Packet->xIPHeader.ucVersionTrafficClass;
-
-            /* Test if the IP-version is 6. */
-            if( ( ( ucVersionTrafficClass & ( uint8_t ) 0xF0U ) >> 4 ) != 6U )
-            {
-                DEBUG_SET_TRACE_VARIABLE( xLocation, 2 );
-                break;
-            }
-
             /* Check if the IPv6-header is transferred. */
             if( uxBufferLength < ( ipSIZE_OF_ETH_HEADER + ipSIZE_OF_IPv6_HEADER ) )
             {
@@ -497,6 +487,7 @@ eFrameProcessingResult_t prvAllowIPPacketIPv6( const IPHeader_IPv6_t * const pxI
         const IPv6_Address_t * pxDestinationIPAddress = &( pxIPv6Header->xDestinationAddress );
         const IPv6_Address_t * pxSourceIPAddress = &( pxIPv6Header->xSourceAddress );
         BaseType_t xHasUnspecifiedAddress = pdFALSE;
+        uint16_t ucVersionTrafficClass = pxIPv6Header->ucVersionTrafficClass;
 
         /* Drop if packet has unspecified IPv6 address (defined in RFC4291 - sec 2.5.2)
          * either in source or destination address. */
@@ -506,10 +497,17 @@ eFrameProcessingResult_t prvAllowIPPacketIPv6( const IPHeader_IPv6_t * const pxI
             xHasUnspecifiedAddress = pdTRUE;
         }
 
+        /* Test if the IP-version is 6. */
+        if( ( ( ucVersionTrafficClass & ( uint8_t ) 0xF0U ) >> 4 ) != 6U )
+        {
+            /* Can not handle, unknown or invalid header version. */
+            eReturn = eReleaseBuffer;
+            FreeRTOS_printf( ( "prvAllowIPPacketIPv6: drop packet, invalid header version: %u\n", ( ucVersionTrafficClass & ( uint8_t ) 0xF0U ) >> 4 ) );
+        }
         /* Is the packet for this IP address? */
-        if( ( xHasUnspecifiedAddress == pdFALSE ) &&
-            ( pxNetworkBuffer->pxEndPoint != NULL ) &&
-            ( memcmp( pxDestinationIPAddress->ucBytes, pxNetworkBuffer->pxEndPoint->ipv6_settings.xIPAddress.ucBytes, sizeof( IPv6_Address_t ) ) == 0 ) )
+        else if( ( xHasUnspecifiedAddress == pdFALSE ) &&
+                 ( pxNetworkBuffer->pxEndPoint != NULL ) &&
+                 ( memcmp( pxDestinationIPAddress->ucBytes, pxNetworkBuffer->pxEndPoint->ipv6_settings.xIPAddress.ucBytes, sizeof( IPv6_Address_t ) ) == 0 ) )
         {
             eReturn = eProcessBuffer;
         }

source/FreeRTOS_IPv6_Utils.c

@@ -92,7 +92,7 @@ BaseType_t prvChecksumIPv6Checks( uint8_t * pucEthernetBuffer,
     {
         uxExtensionHeaderLength = usGetExtensionHeaderLength( pucEthernetBuffer, uxBufferLength, &pxSet->ucProtocol );
 
-        if( uxExtensionHeaderLength >= uxBufferLength )
+        if( ( ipSIZE_OF_ETH_HEADER + ipSIZE_OF_IPv6_HEADER + uxExtensionHeaderLength ) >= uxBufferLength )
         {
             /* Error detected when parsing extension header. */
             pxSet->usChecksum = ipINVALID_LENGTH;
@@ -107,8 +107,18 @@ BaseType_t prvChecksumIPv6Checks( uint8_t * pucEthernetBuffer,
             /* coverity[misra_c_2012_rule_11_3_violation] */
             pxSet->pxProtocolHeaders = ( ( ProtocolHeaders_t * ) &( pucEthernetBuffer[ ipSIZE_OF_ETH_HEADER + ipSIZE_OF_IPv6_HEADER + uxExtensionHeaderLength ] ) );
             pxSet->usPayloadLength = FreeRTOS_ntohs( pxSet->pxIPPacket_IPv6->usPayloadLength );
+
             /* For IPv6, the number of bytes in the protocol is indicated. */
-            pxSet->usProtocolBytes = ( uint16_t ) ( pxSet->usPayloadLength - uxExtensionHeaderLength );
+            if( pxSet->usPayloadLength < uxExtensionHeaderLength )
+            {
+                /* Invalid payload length - extension headers exceed payload. */
+                pxSet->usChecksum = ipINVALID_LENGTH;
+                xReturn = 4;
+            }
+            else
+            {
+                pxSet->usProtocolBytes = ( uint16_t ) ( pxSet->usPayloadLength - uxExtensionHeaderLength );
+            }
 
             uxNeeded = ( size_t ) pxSet->usPayloadLength;
             uxNeeded += ipSIZE_OF_ETH_HEADER + ipSIZE_OF_IPv6_HEADER;

source/FreeRTOS_ND.c

@@ -132,6 +132,8 @@
 struct xNetworkEndPoint;
 struct xNetworkInterface;
 
+#define ipICMPv6_GENERAL_FIELD_SIZE    ( 4U )
+
 #include "pack_struct_start.h"
 struct xIP_HEADER_IPv6
 {

source/include/FreeRTOS_IPv6_Private.h

@@ -137,7 +137,9 @@ void harness()
     uint16_t usEthernetBufferSize;
     NetworkBufferDescriptor_t * pxLocalARPWaitingNetworkBuffer;
 
-    __CPROVER_assume( ( ulLen >= sizeof( ICMPPacket_IPv6_t ) ) && ( ulLen < ipconfigNETWORK_MTU ) );
+    /* Following assumption is to make sure ulLen doesn't go
+     * beyond CBMC_MAX_OBJECT_SIZE */
+    __CPROVER_assume( ulLen < ( CBMC_MAX_OBJECT_SIZE - ipBUFFER_PADDING ) );
 
     pxNetworkBuffer = pxGetNetworkBufferWithDescriptor( ulLen, 0 );
 

test/cbmc/proofs/ND/prvProcessICMPMessage_IPv6/ProcessICMPMessage_IPv6_harness.c

@@ -21,19 +21,26 @@ void harness()
     size_t uxBufferSize;
     uint8_t * pucEthernetBuffer;
     struct xPacketSummary xSet;
+    BaseType_t xReturn;
 
     /* We must have ethernet header to get frame type. */
     __CPROVER_assume( uxBufferSize >= sizeof( IPPacket_IPv6_t ) && uxBufferSize <= ipconfigNETWORK_MTU );
 
     /* Ethernet buffer is not possible to be NULL. */
     pucEthernetBuffer = ( uint8_t * ) safeMalloc( uxBufferSize );
     __CPROVER_assume( pucEthernetBuffer != NULL );
+    __CPROVER_havoc_object( pucEthernetBuffer );
 
     /* This is set before calling prvChecksumIPv6Checks. */
     xSet.pxIPPacket = ( const IPPacket_t * ) pucEthernetBuffer;
     xSet.pxIPPacket_IPv6 = ( const IPHeader_IPv6_t * ) ( pucEthernetBuffer + ipSIZE_OF_ETH_HEADER );
 
-    prvChecksumIPv6Checks( pucEthernetBuffer,
-                           uxBufferSize,
-                           &xSet );
+    xReturn = prvChecksumIPv6Checks( pucEthernetBuffer,
+                                     uxBufferSize,
+                                     &xSet );
+
+    if( xReturn == 0 )
+    {
+        __CPROVER_assert( ( xSet.usProtocolBytes <= FreeRTOS_ntohs( xSet.pxIPPacket_IPv6->usPayloadLength ) ), "xSet.usProtocolBytes shouldn't be greater than IPv6 usPayloadLength" );
+    }
 }

test/cbmc/proofs/prvChecksumIPv6Checks/prvChecksumIPv6Checks_harness.c

@@ -68,6 +68,7 @@ void test_prvAllowIPPacketIPv6_SourceUnspecifiedAddress()
     memset( &xIPv6Address, 0, sizeof( xIPv6Address ) );
     memcpy( xIPv6Address.xDestinationAddress.ucBytes, xIPAddressFive.ucBytes, ipSIZE_OF_IPv6_ADDRESS );
     memcpy( xIPv6Address.xSourceAddress.ucBytes, FreeRTOS_in6addr_any.ucBytes, ipSIZE_OF_IPv6_ADDRESS );
+    xIPv6Address.ucVersionTrafficClass = 0x60U;
 
     eResult = prvAllowIPPacketIPv6( &xIPv6Address, NULL, 0U );
     TEST_ASSERT_EQUAL( eReleaseBuffer, eResult );
@@ -85,6 +86,7 @@ void test_prvAllowIPPacketIPv6_DestinationUnspecifiedAddress()
     memset( &xIPv6Address, 0, sizeof( xIPv6Address ) );
     memcpy( xIPv6Address.xDestinationAddress.ucBytes, FreeRTOS_in6addr_any.ucBytes, ipSIZE_OF_IPv6_ADDRESS );
     memcpy( xIPv6Address.xSourceAddress.ucBytes, xIPAddressFive.ucBytes, ipSIZE_OF_IPv6_ADDRESS );
+    xIPv6Address.ucVersionTrafficClass = 0x60U;
 
     eResult = prvAllowIPPacketIPv6( &xIPv6Address, NULL, 0U );
     TEST_ASSERT_EQUAL( eReleaseBuffer, eResult );
@@ -100,6 +102,8 @@ void test_prvAllowIPPacketIPv6_HappyPath()
     NetworkBufferDescriptor_t * pxNetworkBuffer = prvInitializeNetworkDescriptor();
     TCPPacket_IPv6_t * pxTCPPacket = ( TCPPacket_IPv6_t * ) pxNetworkBuffer->pucEthernetBuffer;
 
+    pxTCPPacket->xIPHeader.ucVersionTrafficClass = 0x60U;
+
     FreeRTOS_FindEndPointOnMAC_ExpectAndReturn( &pxTCPPacket->xEthernetHeader.xSourceAddress, NULL, NULL );
     usGenerateProtocolChecksum_ExpectAndReturn( pxNetworkBuffer->pucEthernetBuffer, pxNetworkBuffer->xDataLength, pdFALSE, ipCORRECT_CRC );
 
@@ -118,6 +122,7 @@ void test_prvAllowIPPacketIPv6_MulticastAddress()
     /* Multicast IPv6 address is FF02::1 */
     IPv6_Address_t xMCIPAddress = { 0xFF, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 };
 
+    pxTCPPacket->xIPHeader.ucVersionTrafficClass = 0x60U;
     memcpy( pxTCPPacket->xIPHeader.xDestinationAddress.ucBytes, xMCIPAddress.ucBytes, ipSIZE_OF_IPv6_ADDRESS );
 
     FreeRTOS_FindEndPointOnIP_IPv6_ExpectAndReturn( &( pxTCPPacket->xIPHeader.xSourceAddress ), pxNetworkBuffer->pxEndPoint );
@@ -139,6 +144,7 @@ void test_prvAllowIPPacketIPv6_LoopbackAddress()
     TCPPacket_IPv6_t * pxTCPPacket = ( TCPPacket_IPv6_t * ) pxNetworkBuffer->pucEthernetBuffer;
     NetworkEndPoint_t xEndPoint;
 
+    pxTCPPacket->xIPHeader.ucVersionTrafficClass = 0x60U;
     memcpy( pxTCPPacket->xIPHeader.xSourceAddress.ucBytes, FreeRTOS_in6addr_loopback.ucBytes, ipSIZE_OF_IPv6_ADDRESS );
     memcpy( pxTCPPacket->xIPHeader.xDestinationAddress.ucBytes, FreeRTOS_in6addr_loopback.ucBytes, ipSIZE_OF_IPv6_ADDRESS );
 
@@ -163,6 +169,7 @@ void test_prvAllowIPPacketIPv6_LoopbackNotMatchDest()
     NetworkBufferDescriptor_t * pxNetworkBuffer = prvInitializeNetworkDescriptor();
     TCPPacket_IPv6_t * pxTCPPacket = ( TCPPacket_IPv6_t * ) pxNetworkBuffer->pucEthernetBuffer;
 
+    pxTCPPacket->xIPHeader.ucVersionTrafficClass = 0x60U;
     pxTCPPacket->xIPHeader.xDestinationAddress.ucBytes[ 15 ] = 0x11;
 
     FreeRTOS_FindEndPointOnIP_IPv6_ExpectAndReturn( &pxTCPPacket->xIPHeader.xSourceAddress, pxNetworkBuffer->pxEndPoint );
@@ -185,6 +192,7 @@ void test_prvAllowIPPacketIPv6_LoopbackNotMatchSrc()
     TCPPacket_IPv6_t * pxTCPPacket = ( TCPPacket_IPv6_t * ) pxNetworkBuffer->pucEthernetBuffer;
     NetworkEndPoint_t xEndPoint;
 
+    pxTCPPacket->xIPHeader.ucVersionTrafficClass = 0x60U;
     memcpy( pxTCPPacket->xIPHeader.xDestinationAddress.ucBytes, FreeRTOS_in6addr_loopback.ucBytes, ipSIZE_OF_IPv6_ADDRESS );
 
     FreeRTOS_FindEndPointOnIP_IPv6_ExpectAndReturn( &pxTCPPacket->xIPHeader.xSourceAddress, &xEndPoint );
@@ -206,6 +214,8 @@ void test_prvAllowIPPacketIPv6_NetworkDown()
 
     pxNetworkBuffer->pxEndPoint = NULL;
 
+    pxTCPPacket->xIPHeader.ucVersionTrafficClass = 0x60U;
+
     FreeRTOS_FindEndPointOnIP_IPv6_ExpectAndReturn( &pxTCPPacket->xIPHeader.xSourceAddress, NULL );
     FreeRTOS_IsNetworkUp_IgnoreAndReturn( 0 );
     FreeRTOS_FindEndPointOnMAC_ExpectAndReturn( &pxTCPPacket->xEthernetHeader.xSourceAddress, NULL, NULL );
@@ -225,6 +235,8 @@ void test_prvAllowIPPacketIPv6_SelfSend()
     NetworkBufferDescriptor_t * pxNetworkBuffer = prvInitializeNetworkDescriptor();
     TCPPacket_IPv6_t * pxTCPPacket = ( TCPPacket_IPv6_t * ) pxNetworkBuffer->pucEthernetBuffer;
 
+    pxTCPPacket->xIPHeader.ucVersionTrafficClass = 0x60U;
+
     FreeRTOS_FindEndPointOnMAC_ExpectAndReturn( &pxTCPPacket->xEthernetHeader.xSourceAddress, NULL, pxNetworkBuffer->pxEndPoint );
 
     eResult = prvAllowIPPacketIPv6( &pxTCPPacket->xIPHeader, pxNetworkBuffer, 0U );
@@ -241,6 +253,8 @@ void test_prvAllowIPPacketIPv6_ChecksumError()
     NetworkBufferDescriptor_t * pxNetworkBuffer = prvInitializeNetworkDescriptor();
     TCPPacket_IPv6_t * pxTCPPacket = ( TCPPacket_IPv6_t * ) pxNetworkBuffer->pucEthernetBuffer;
 
+    pxTCPPacket->xIPHeader.ucVersionTrafficClass = 0x60U;
+
     FreeRTOS_FindEndPointOnMAC_ExpectAndReturn( &pxTCPPacket->xEthernetHeader.xSourceAddress, NULL, NULL );
     usGenerateProtocolChecksum_ExpectAndReturn( pxNetworkBuffer->pucEthernetBuffer, pxNetworkBuffer->xDataLength, pdFALSE, ipWRONG_CRC );
 
@@ -260,6 +274,8 @@ void test_prvAllowIPPacketIPv6_InvalidPacket()
 
     pxNetworkBuffer->pxEndPoint = NULL;
 
+    pxTCPPacket->xIPHeader.ucVersionTrafficClass = 0x60U;
+
     FreeRTOS_FindEndPointOnIP_IPv6_ExpectAndReturn( &pxTCPPacket->xIPHeader.xSourceAddress, NULL );
     FreeRTOS_IsNetworkUp_IgnoreAndReturn( 1 );
 
@@ -285,6 +301,8 @@ void test_prvAllowIPPacketIPv6_EndpointDifferentAddress()
     memcpy( xEndpoint.ipv6_settings.xIPAddress.ucBytes, xDiffIPAddress.ucBytes, ipSIZE_OF_IPv6_ADDRESS );
     pxNetworkBuffer->pxEndPoint = &xEndpoint;
 
+    pxTCPPacket->xIPHeader.ucVersionTrafficClass = 0x60U;
+
     FreeRTOS_FindEndPointOnIP_IPv6_ExpectAndReturn( &( pxTCPPacket->xIPHeader.xSourceAddress ), NULL );
     FreeRTOS_IsNetworkUp_IgnoreAndReturn( 1 );
 

test/unit-test/FreeRTOS_IPv6/FreeRTOS_IPv6_utest.c

@@ -131,7 +131,7 @@ void test_prvChecksumIPv6Checks_IncompleteIPv6Packet( void )
     BaseType_t usReturn;
     uint8_t pucEthernetBuffer[ ipconfigTCPv6_MSS ];
     IPHeader_IPv6_t * pxIPv6Packet;
-    size_t uxBufferLength = ipSIZE_OF_ETH_HEADER + ipSIZE_OF_IPv6_HEADER;
+    size_t uxBufferLength = ipSIZE_OF_ETH_HEADER + ipSIZE_OF_IPv6_HEADER + 4;
     struct xPacketSummary xSet;
 
     memset( pucEthernetBuffer, 0, ipconfigTCPv6_MSS );
@@ -205,6 +205,47 @@ void test_prvChecksumIPv6Checks_LargeExtensionHeader( void )
     TEST_ASSERT_EQUAL( 3, usReturn );
 }
 
+/**
+ * @brief Prepare a packet with large extension header length.
+ *         - ipIPv6_EXT_HEADER_ROUTING_HEADER
+ *         - ipIPv6_EXT_HEADER_HOP_BY_HOP
+ *         - ipPROTOCOL_TCP
+ */
+void test_prvChecksumIPv6Checks_IncorrectPayloadLength( void )
+{
+    BaseType_t usReturn;
+    struct xPacketSummary xSet;
+    NetworkBufferDescriptor_t * pxNetworkBuffer = prvInitializeNetworkDescriptorWithExtensionHeader( ipPROTOCOL_TCP );
+    IPHeader_IPv6_t * pxIPv6Header = ( IPHeader_IPv6_t * ) &( pxNetworkBuffer->pucEthernetBuffer[ ipSIZE_OF_ETH_HEADER ] );
+    size_t uxIndex = ipSIZE_OF_ETH_HEADER + ipSIZE_OF_IPv6_HEADER;
+
+    /* Modify the extension header */
+    pxIPv6Header->ucNextHeader = ipIPv6_EXT_HEADER_HOP_BY_HOP;
+    pxNetworkBuffer->pucEthernetBuffer[ uxIndex ] = ipIPv6_EXT_HEADER_ROUTING_HEADER;
+    pxNetworkBuffer->pucEthernetBuffer[ uxIndex + 1 ] = 5U; /* Extension header length is set to 200*8 + 8, which is larger than buffer size. */
+    uxIndex += 8;
+    pxNetworkBuffer->pucEthernetBuffer[ uxIndex ] = ipPROTOCOL_TCP;
+    pxNetworkBuffer->pucEthernetBuffer[ uxIndex + 1 ] = 0;
+    uxIndex += 8;
+
+    xSet.pxIPPacket_IPv6 = ( ( const IPHeader_IPv6_t * ) pxNetworkBuffer->pucEthernetBuffer );
+    IPHeader_IPv6_t * pxIPPacket_IPv6 = ( IPHeader_IPv6_t * ) pxNetworkBuffer->pucEthernetBuffer;
+
+    /* Incorrect payload length */
+    pxIPPacket_IPv6->usPayloadLength = FreeRTOS_ntohs( 20 );
+
+    xGetExtensionOrder_ExpectAndReturn( ipIPv6_EXT_HEADER_HOP_BY_HOP, 0U, 1 );
+    xGetExtensionOrder_ExpectAndReturn( ipIPv6_EXT_HEADER_HOP_BY_HOP, ipIPv6_EXT_HEADER_ROUTING_HEADER, 1 );
+    xGetExtensionOrder_ExpectAndReturn( ipIPv6_EXT_HEADER_ROUTING_HEADER, ipPROTOCOL_TCP, 2 );
+    xGetExtensionOrder_ExpectAndReturn( ipIPv6_EXT_HEADER_ROUTING_HEADER, ipPROTOCOL_TCP, 2 );
+
+    usReturn = prvChecksumIPv6Checks( pxNetworkBuffer->pucEthernetBuffer, pxNetworkBuffer->xDataLength, &xSet );
+
+    TEST_ASSERT_EQUAL( 4, usReturn );
+}
+
+
+
 /**
  * @brief Prepare a packet have extension with following order.
  *         - ipIPv6_EXT_HEADER_ROUTING_HEADER