If an entire snippet of a packet is marked with gnrc_pktbuf_mark, pkt->data will be set to NULL but not deleted.
If gnrc_pktbuf_mark is used to mark an entire snippet and pkt->size is already aligned then pkt->data will be set to NULL source:
pkt->data = (pkt->size != size) ? (((uint8_t *)pkt->data) + size) :
NULL;
The NULL pointer snippet is not removed from the packet chain.
During later use of the packet a null pointer dereference occurs.
- A crafted packet can trigger a null pointer dereference, leading to DoS
If the entire snippet is marked, change the type and don't create a new one. This will prevent the old snippet from having no data.