gnrc_ipv6_ext_frag: fail on first fragment buffer is too small

Nils Bernsdorf · miri64 · commit d64dcbb71ff1 · 2025-12-05T18:32:30.000+01:00
This case can happen if a second, but larger first fragment is send
after a smaller.
diff --git a/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c b/sys/net/gnrc/network_layer/ipv6/ext/frag/gnrc_ipv6_ext_frag.c
@@ -524,6 +524,11 @@ gnrc_pktsnip_t *gnrc_ipv6_ext_frag_reass(gnrc_pktsnip_t *pkt)
             DEBUG("ipv6_ext_frag: fragment length not divisible by 8");
             goto error_exit;
         }
+        else if (rbuf->pkt != NULL && rbuf->pkt->size < pkt->size) {
+            DEBUG("ipv6_ext_frag: reassembly buffer too small to fit first "
+                  "fragment\n");
+            goto error_exit;
+        }
         _set_nh(fh_snip->next, nh);
         gnrc_pktbuf_remove_snip(pkt, fh_snip);
         /* TODO: RFC 8200 says "- 8"; determine if `sizeof(ipv6_ext_frag_t)` is
