In the master branch 53a0d97, an illegal over-read bug has been found when the server handles a malicious message with the following values for the mentioned fields:
Fragment length may be a larger number like 8143, whose value can be up to (2^24-1) bytes theoretically.
the peer exists and is not null.
After the server handles this message in the normal way as follows(in the master branch), we enter into the function dtls_ccm_decrypt_message() at dtls-ccm.c:250.
0x4e4b33 in dtls_ccm_decrypt_message /home/Research/benchmarks/tinydtls/dtls-ccm.c:250
0x4dd76a in dtls_ccm_decrypt /home/Research/benchmarks/tinydtls/dtls-crypto.c:255
0x4dd76a in dtls_decrypt /home/Research/benchmarks/tinydtls/dtls-crypto.c:512
0x4cbfe7 in decrypt_verify /home/Research/benchmarks/tinydtls/dtls.c:3056
0x4c9bbc in dtls_handle_message /home/Research/benchmarks/tinydtls/dtls.c:3782
0x4c67bc in dtls_handle_read /home/Research/benchmarks/tinydtls/tests/dtls-server.c:187
0x4c67bc in main /home/Research/benchmarks/tinydtls/tests/dtls-server.c:355
In the function dtls_ccm_decrypt_message(), the value of variable lm is larger than the length of the current packet, whose value is less than 1400. Hence, an illegal memory access bug appears, which leads to the server crashing, memory leak and other effects.
From DTLS12 RFC, the server should have the ability to fragment large packets. If not, over-large packets should be refused.
In the master branch 53a0d97, an illegal over-read bug has been found when the server handles a malicious message with the following values for the mentioned fields:
Fragment length may be a larger number like 8143, whose value can be up to (2^24-1) bytes theoretically. the peer exists and is not null. After the server handles this message in the normal way as follows(in the master branch), we enter into the function dtls_ccm_decrypt_message() at dtls-ccm.c:250.
In the function dtls_ccm_decrypt_message(), the value of variable lm is larger than the length of the current packet, whose value is less than 1400. Hence, an illegal memory access bug appears, which leads to the server crashing, memory leak and other effects.
From DTLS12 RFC, the server should have the ability to fragment large packets. If not, over-large packets should be refused.