Joakim Eriksson

**Name of the Vulnerable Software and Affected Versions** Contiki-NG (affected versions not specified) **Description** The 6LoWPAN implementation in the Contiki-NG operating system contains an input function that processes incoming packets and copies them into a packet buffer. Due to a missing length check in the input function, it is possible to write outside the packet buffer's boundary. The issue can be exploited by sending either an unfragmented packet or the first fragment of a fragmented packet to a Contiki-NG system. If the packet is sufficiently large, a subsequent memory copy will cause an out-of-bounds write with data supplied by the attacker. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Contiki-NG versions prior to 4.6 Description: The RPL-Classic and RPL-Lite implementations in the Contiki-NG operating system do not validate the address pointer in the RPL source routing header. This allows an attacker to cause out-of-bounds writes with packets injected into the network stack. The issue lies in the `rpl ext header srh update` function, where the `addr ptr` variable is calculated using an unvalidated CMPR field value from the source routing header. An out-of-bounds write can be triggered due to a `memcpy` call with `addr ptr` as the destination. Recommendations: For Contiki-NG versions prior to 4.6, update to version 4.6 to resolve the issue. As a temporary workaround, users can apply a patch out-of-band. Consider restricting access to the `rpl ext header srh update` function in the `rpl-ext-header.c` modules for RPL-Classic and RPL-Lite until the issue is resolved.