Incorrect handling over-large packets at dtls_ccm_decrypt_message()

[jerrytesting]

In the master branch 53a0d97, an illegal over-read bug has been found when the server handles a malicious message with the following values for the mentioned fields:

Fragment length may be a larger number like 8143, whose value can be up to (2^24-1) bytes theoretically. the peer exists and is not null. After the server handles this message in the normal way as follows(in the master branch), we enter into the function dtls_ccm_decrypt_message() at dtls-ccm.c:250.

1. 0x4e4b33 in dtls_ccm_decrypt_message /home/Research/benchmarks/tinydtls/dtls-ccm.c:250
2. 0x4dd76a in dtls_ccm_decrypt /home/Research/benchmarks/tinydtls/dtls-crypto.c:255
3. 0x4dd76a in dtls_decrypt /home/Research/benchmarks/tinydtls/dtls-crypto.c:512
4. 0x4cbfe7 in decrypt_verify /home/Research/benchmarks/tinydtls/dtls.c:3056
5. 0x4c9bbc in dtls_handle_message /home/Research/benchmarks/tinydtls/dtls.c:3782
6. 0x4c67bc in dtls_handle_read /home/Research/benchmarks/tinydtls/tests/dtls-server.c:187
7. 0x4c67bc in main /home/Research/benchmarks/tinydtls/tests/dtls-server.c:355

In the function dtls_ccm_decrypt_message(), the value of variable lm is larger than the length of the current packet, whose value is less than 1400. Hence, an illegal memory access bug appears, which leads to the server crashing, memory leak and other effects.

From DTLS12 RFC, the server should have the ability to fragment large packets. If not, over-large packets should be refused.

[31031969]

LICENSE omar alfonso rodriguez borja.txt 35425669 (3) (1).pdf 1 (1) (1) (1) (2) (2) (1).pdf

[boaks]

See eclipse/tinydtls issue #98