RIOT OS Buffer Overflow Vulnerability in Link Layer Address Filter

A buffer overflow vulnerability has been identified in RIOT OS versions through 2025.04, within the link layer address filter component. The issue arises from an ineffective size check that relies on assertions, which are typically disabled in production builds. This lack of proper input validation can be exploited by attackers. In the vulnerable 'l2filter_add()' function, the 'addr_len' parameter is only checked against a maximum length constant using an assertion. If an attacker provides an 'addr_len' value exceeding this maximum, it can lead to a buffer overflow by overwriting memory beyond the allocated buffer for the address. When assertions are disabled, there is no safeguard against such exploitation. The consequences of this buffer overflow can vary, potentially causing a denial of service or allowing arbitrary code execution.

Impact

Exploitation of this vulnerability can cause a buffer overflow, with potential consequences ranging from a denial of service to arbitrary code execution.

Reproduction

The vulnerability can be reproduced by calling the 'l2filter_add()' function with an 'addr_len' value that exceeds 'CONFIG_L2FILTER_ADDR_MAXLEN', while assertions are disabled. This will bypass the size check and allow for a buffer overflow by overwriting memory past the allocated buffer for the link layer address.

Remediation

Users can update to the patched version of RIOT OS, which is available in the official repository.