Community
Participate
Working Groups
Hello, This bug affects current TinyDTLS master (706888256c3e03d9fcf1ec37bb1dd6499213be3c). In dtls.c:1023, there is a while loop. For every loop, the value of variable i decreases by 2. However, when the initial value of i is an odd number, the loop condition will be always satisfied, thereby the program enters infinite loops.
In the project master branch, an infinite loop bug had been found during handling ClientHello Handshake message. Suppose you have a malicious ClientHello message with the following values for the mentioned fields: 1. Cipher Suites Length is an odd number like 3 (this is a malicious number) 2. Two Suites whose length is 4 bytes 3. Extension Length whose length is not zero like 26 bytes After handling this message in the normal handling way as follows, we enter into the function dtls_update_parameters() at the dtls.c:980. 1. 0x4e2b02 in dtls_update_parameters /home/etinydtls/dtls.c:1024:22 2. 0x4e2b02 in handle_handshake_msg /home/etinydtls/dtls.c:3403:11 3. 0x4cb1ce in handle_handshake /home/etinydtls/dtls.c:3493:14 4. 0x4cb1ce in dtls_handle_message /home/etinydtls/dtls.c:3881:13 5. 0x4c4efc in dtls_handle_read /home/etinydtls/tests/dtls-server.c:177:10 6. 0x4c4efc in main /home/etinydtls/tests/dtls-server.c:352:2 7. 0x7fb176ab10b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) 8. 0x41c45d in _start (/home/etinydtls/tests/dtls-server+0x41c45d) When coming to dtls.c:1005 in the function dtls_update_parameters(), variable i is assigned to an int number, which stands for all cipher suites' length 3 in this message. After that, the condition data_length < i + sizeof(uint16) cannot refuse this packet cannot exclude this packet, as 4+26 < 3+2 is not satisfied. Hence, we come to the loop of confirming suites at the dtls.c:1023, where i is decreased by 2 each loop. The ending loop condition includes (i == 0), while the initial value of i is 3 thereby this condition will not be satisfied. Unfortunately, one infinite loop incurs, which lets the server loop forever until consuming all resources.
This bug exists through 0.9-rc1.
Through Eclipse tinydtls v0.9-rc1, an infinite loop bug had been found during handling ClientHello handshake message. This bug allows remote attackers to cause a denial of service via sending a malformed ClientHello handshake message with an odd cipher suites' length, which triggers an infinite loop until consuming all resources and buffer over-read to disclose sensitive information. Suppose you have a malicious ClientHello message with the following values for the mentioned fields: 1. Cipher Suites Length is an odd number like 3 (this is a malicious number) 2. Two Suites whose length is 4 bytes 3. Extension Length whose length is not zero like 26 bytes After handling this message in the normal handling way as follows, we enter into the function dtls_update_parameters() at the dtls.c:980. 1. 0x4e2b02 in dtls_update_parameters /home/etinydtls/dtls.c:1024:22 2. 0x4e2b02 in handle_handshake_msg /home/etinydtls/dtls.c:3403:11 3. 0x4cb1ce in handle_handshake /home/etinydtls/dtls.c:3493:14 4. 0x4cb1ce in dtls_handle_message /home/etinydtls/dtls.c:3881:13 5. 0x4c4efc in dtls_handle_read /home/etinydtls/tests/dtls-server.c:177:10 6. 0x4c4efc in main /home/etinydtls/tests/dtls-server.c:352:2 7. 0x7fb176ab10b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) 8. 0x41c45d in _start (/home/etinydtls/tests/dtls-server+0x41c45d) When coming to dtls.c:1005 in the function dtls_update_parameters(), variable i is assigned to an int number, which stands for all cipher suites' length 3 in this message. After that, the condition data_length < i + sizeof(uint16) cannot refuse this packet cannot exclude this packet, as 4+26 < 3+2 is not satisfied. Hence, we come to the loop of confirming suites at the dtls.c:1023, where i is decreased by 2 each loop. The ending loop condition includes (i == 0), while the initial value of i is 3 thereby this condition will not be satisfied. Unfortunately, dtls server loops forever with unreachable exit conditions.
/cc project lead. Note that the Tinydtls component is archived and we don't get notifications of issue reports filed against it. In the future, file directly against Community/Vulnerability Reports.
Project team: there's help in the handbook [1] regarding how we handle vulnerability reports. [1] https://www.eclipse.org/projects/handbook/#vulnerability
This issue has been migrated to https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/607.