RIOT OS Stack-Based Buffer Overflow Vulnerability in tapslip6 Utility

A stack-based buffer overflow vulnerability has been identified in the tapslip6 utility of RIOT OS, affecting versions through 2026.01-devel-317. The issue arises from unsafe string concatenation in the devopen() function, which creates a device path using unbounded user-controlled input. The utility concatenates a fixed prefix '/dev/' with a user-supplied device name provided via the -s command-line option, without proper bounds checking. This vulnerability allows an attacker to supply an excessively long device name, overflow a fixed-size stack buffer, and cause process crashes and memory corruption. While exploitation requires local access, the tapslip6 utility is often run with elevated privileges, increasing the potential impact.

Impact

Exploitation of this vulnerability leads to a stack-based buffer overflow, causing process termination and memory corruption.

Reproduction

The vulnerability can be reproduced by running the tapslip6 utility with the -s option followed by an excessively long string that exceeds the buffer size. This can be done using a Python command to generate the long string, which is then passed as an argument to the tapslip6 command.