net: 6lowpan: Add more sanity checks in compression code

It is possible that the packet contains some garbage even
after 802.15.4 framer and fragmenter have passed it as a
valid packet. So we do here a final check so that the
memmove() call will have a sane value.

Weird crashes were happening without this sanity check because
uip length was smaller than the packet header length.
So the code tried to call
memmove (d=0xa80088a0 <rx_buffers+1472>,
         s=0xa8008889 <rx_buffers+1449>,
         n=3328002866)
at .../zephyr/net/ip/contiki/sicslowpan/sicslowpan_compression.c:998
and the length became too large and caused the device to crash.

Change-Id: Ibc4f1c211ec2f6d98506b89c6c3f001e20e51ea6
Signed-off-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>

net/ip/contiki/sicslowpan/sicslowpan_compression.c

@@ -984,6 +984,17 @@ static int uncompress(struct net_buf *buf)
     PRINTF("uncompress: not enough space to store uncompressed headers\n");
     goto fail;
   }
+
+  /* If the packet contains some garbage, then it is possible that
+   * the frame checker and fragmenter might still have accepted it.
+   * We need to check here that the memmove() will contain sane length
+   * value.
+   */
+  if (uip_len(buf) <= uip_packetbuf_hdr_len(mbuf)) {
+    PRINTF("uncompress: buf len (%d) <= hdr len (%d), packet discarded.\n",
+           uip_len(buf), uip_packetbuf_hdr_len(mbuf));
+    goto fail;
+  }
   memmove(uip_buf(buf) + uip_uncomp_hdr_len(mbuf),
                 uip_buf(buf) + uip_packetbuf_hdr_len(mbuf),
                 uip_len(buf) - uip_packetbuf_hdr_len(mbuf));