search

named-data-iot / ndn-lite

A lightweight NDN protocol stack with high-level application support including security bootstrapping, access control, trust management, etc.
https://ndn-lite.named-data.net
GNU Lesser General Public License v3.0
44 stars 16 forks source link

ndn_name_tlv_decode buffer overflow #27

Closed yoursunny closed 5 years ago

yoursunny commented 5 years ago

As of bdf9cd95eeeb5cca50ee56abdc5de9dc28cf8b5b, name_component_tlv_decode function invokes:

decoder_get_length(decoder, &name->components[counter].size);
int result = decoder_get_raw_buffer_value(decoder, name->components[counter].value,
                                          name->components[counter].size);

name->components[counter].value is a fixed size buffer. name->components[counter].size comes from network and the function does not check whether it exceeds the buffer capacity. Therefore, an attacker can trigger a buffer overflow using this function.

Recommendation is invoking name_component_tlv_decode instead of duplicating its logic.

tianyuan129 commented 5 years ago

Commit 513e020a28cc76ac12ee4cdb3bdaf8ebcb13428c will address this issue. ndn_name_tlv_decode now calls name_component_tlv_decode, which has buffer capacity check, for name components decoding. Thank you for your recommendation.