Description

It is possible for an integer overflow of len/data_len to occur as part of gnrc_icmpv6_echo_send/gnrc_icmpv6_echo_build when computing the total length of the packet including the header i.e. data_len + sizeof(imcpv6_echo_t) at gnrc_icmpv6_echo.c:34

Depending on the value used this results in either either a null pointer dereference at gnrc_icmpv6.c:136 (if len == (SIZE_MAX - 8)) or a buffer overflow at gnrc_icmpv6_echo.c:181 (if (SIZE_MAX - 8) < len <= SIZE_MAX).

It's probably more an issue of API misuse than anything -- but it is pretty easy to accidentally trigger through the shell interface (see below):

Steps to reproduce the issue

It’s pretty easy to trigger in the gnrc_networking example because the -s options allows negative numbers. Meaning we can run the following to get a segfault:

main(): This is RIOT! (Version: 2023.07-devel-693-g561e1)
RIOT network stack example application
All up, running the shell now
> ping -s -7 ::1
ping -s -7 ::1
Segmentation fault (core dumped)