CVE-2021-3321: 
NixOS vulnerability analysis and mitigation

Integer Underflow vulnerability (CVE-2021-3321) was discovered in Zephyr versions >= 2.4.0, affecting the IEEE 802154 Fragment Reassembly Header Removal functionality. The vulnerability was disclosed on October 12, 2021, and involves an incomplete check of minimum IEEE 802154 fragment size leading to an integer underflow (Zephyr Advisory).

The vulnerability stems from insufficient validation of certain elements within the IEEE 802154 fragment reassembly logic. The bug occurs due to initial frame validation in the ieee802154validateframe function, which only accounts for the initial mpdu header data without validating the minimum length of the data payload for data frames. When stripping the header, the size is assumed from the fragment's type without proper validation, leading to an integer underflow in the calculation of frag->len - hdr_len (Zephyr Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH with vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:H (NVD).

The vulnerability results in an underflown size value being used in a memmove operation, leading to a large out-of-bounds write in a network buffer. At minimum, this causes the firmware to crash (denial of service). The resulting memory corruption may potentially be exploitable for Remote Code Execution (RCE) on the affected board. In proof-of-concept testing, the vulnerability caused crashes in the kernel function ztimeslice due to corruption of the kernel struct 'z_kernel' (Zephyr Advisory).

The vulnerability has been patched in Zephyr version 2.5.0. The fix involves validating fragment sizes before adding them to the cache, ensuring they can at least hold their header (NET6LODISPATCHFRAG1 or NET6LODISPATCHFRAGN). The patches have been implemented in main #31908 and v2.4: #33453 (Zephyr Advisory).