eclipse / tinydtls

Eclipse tinydtls
https://projects.eclipse.org/projects/iot.tinydtls
Other
105 stars 58 forks source link

Three out-of-bound pointers (check_certificate_request) #196

Closed bathooman closed 1 year ago

bathooman commented 1 year ago

Description

image

Upon receipt of a Certificate Request message, if the message is maliciously crafted in a way that the value of the Certificate Types Count and Signature Hash Algorithms Length are not within the boundary of the Fragment Length, three out-of-bound pointer de-reference occurs in the following three points:

  1. https://github.com/eclipse/tinydtls/blob/main/dtls.c#L3529
  2. https://github.com/eclipse/tinydtls/blob/main/dtls.c#L3531
  3. https://github.com/eclipse/tinydtls/blob/main/dtls.c#L3508

My suggestion:

There should always be a check that ensures that the fields that represent the size of fields are within the boundary of data_length.

boaks commented 1 year ago

Thanks a lot for reporting!

I see, this function doesn't obey the already processed bytes by subtracting them from data_length. And, as you report, the size of the length field must also be obeyed, e.g. in L3510, where data + 1 is used instead of data + sizeof(uint16).

I will provide a fix.

bathooman commented 1 year ago

It appears that this bug is fixed in #197. We can close this issue.

boaks commented 1 year ago

Thanks a lot for reporting. Currently "too many" larger PRs are pending, but I plan to consolidate the parsing in general using the new macros as in PR #198