Integer underflow in size calculation for memcpy during processing of an 6LoWPAN packet.
While copying the payload from the 6LoWPAN snippet to the IPv6 snippet the payload size is calculated as the size of the 6LoWPAN packet minus the offset after decompressing the header.
A crafted packet can lead to the offset being larger then the size of the packet.
In this case payload_offset is larger than sixlo->size leading to an integer underflow source:
memcpy(((uint8_t *)ipv6->data) + uncomp_hdr_len,
((uint8_t *)sixlo->data) + payload_offset,
sixlo->size - payload_offset);
- A large OOB memcpy is started in the packet buffer, resulting in a crash once the end of memory is reached
- A manipulated packet can lead to DoS
- Based on timing (context switch during memcpy operation) and board RAM (>64kB of RAM), corruption might be exploitable to RCE
During header decompression check that the payload offset doesn't exceed the packet size.