stack-buffer-overflow in metric_len

[nandedkarhrishi]

Context:

Stack buffer overflow may be triggered while writing to a variable metric_len, which is defined as unsigned short (ref: https://github.com/openthread/wpantund/blob/master/src/ncp-spinel/SpinelNCPInstance.cpp#L2180) but is considered as unsigned int (ref: https://github.com/openthread/wpantund/blob/master/third_party/openthread/src/ncp/spinel.c#L597).

Expected behavior and actual behavior:

Expected Behavior: Trigger an exception, because size of buffer needed, is not available.

Actual Behavior: The metric_len variable triggers stack buffer overflow.

Version Details:

The issue was first found in wpantund: 4ae4619

Affected commits: 4ae4619 to bf45115

CVE

CVE-2021-33889 (Reserved)