search

named-data-iot / ndn-lite

A lightweight NDN protocol stack with high-level application support including security bootstrapping, access control, trust management, etc.
https://ndn-lite.named-data.net
GNU Lesser General Public License v3.0
44 stars 16 forks source link

ndn_name_tlv_decode buffer overflow #23

Closed yoursunny closed 5 years ago

yoursunny commented 5 years ago

As of c9e68eecab5632320df76726e9e581a4892208dc, ndn_name_tlv_decode function invokes:

int counter = 0;
while (decoder->offset < start_offset + length) {
  uint32_t comp_type = 0;
  decoder_get_type(decoder, &comp_type);
  name->components[counter].type = comp_type;
  ++counter;
}

name->component is a fixed size array. counter is incremented every time a new name component is encountered and the function does not check whether it exceeds the array capacity. Therefore, an attacker can trigger a buffer overflow using this function.

tianyuan129 commented 5 years ago

Commit bdf9cd95eeeb5cca50ee56abdc5de9dc28cf8b5b will address this problem. Thank you for pointing this out.