Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Unvalidated DIO prefix info length in RPL-Lite in Contiki-NG
Vulnerability Description
Contiki-NG is an open-source, cross-platform operating system for Next-Generation IoT devices. An out-of-bounds read can be caused by an incoming DIO message when using the RPL-Lite implementation in the Contiki-NG operating system. More specifically, the prefix information of the DIO message contains a field that specifies the length of an IPv6 address prefix. The value of this field is not validated, which means that an attacker can set a value that is longer than the maximum prefix length. Subsequently, a memcmp function call that compares different prefixes can be called with a length argument that surpasses the boundary of the array allocated for the prefix, causing an out-of-bounds read. The problem has been patched in the "develop" branch of Contiki-NG, and is expected to be included in the next release. Users are advised to update as soon as they are able to or to manually apply the changes in Contiki-NG pull request #2721.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Vulnerability Type
跨界内存读
Vulnerability Title
Contiki-NG 缓冲区错误漏洞
Vulnerability Description
Contiki-NG是一套用于下一代IoT(物联网)设备的开源跨平台操作系统。 Contiki-NG 4.9及之前版本存在缓冲区错误漏洞,该漏洞源于使用RPL Lite实现时,传入的DIO消息可能会导致越界读取。
CVSS Information
N/A
Vulnerability Type
N/A