Bug 574325 - [iot.tinydtls] Infinite loop during handshake for TinyDTLS
Summary: [iot.tinydtls] Infinite loop during handshake for TinyDTLS
Status: CLOSED MOVED
Alias: None
Product: Community
Classification: Eclipse Foundation
Component: Vulnerability Reports (show other bugs)
Version: unspecified   Edit
Hardware: PC Linux
: P3 normal with 1 vote (vote)
Target Milestone: ---   Edit
Assignee: Security vulnerabilitied reported against Eclipse projects CLA
QA Contact:
URL:
Whiteboard:
Keywords: security
Depends on:
Blocks:
 
Reported: 2021-06-19 09:24 EDT by Jerry Testing CLA
Modified: 2021-12-23 06:47 EST (History)
2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jerry Testing CLA 2021-06-19 09:24:36 EDT 
Hello,

This bug affects current TinyDTLS master (706888256c3e03d9fcf1ec37bb1dd6499213be3c).

In dtls.c:1023, there is a while loop. For every loop, the value of variable i decreases by 2. 

However, when the initial value of i is an odd number, the loop condition will be always satisfied, thereby the program enters infinite loops.
Comment 1 Jerry Testing CLA 2021-08-08 21:06:27 EDT 
In the project master branch, an infinite loop bug had been found during handling ClientHello Handshake message. Suppose you have a malicious ClientHello message with the following values for the mentioned fields:
1. Cipher Suites Length is an odd number like 3 (this is a malicious number)
2. Two Suites whose length is 4 bytes
3. Extension Length whose length is not zero like 26 bytes

After handling this message in the normal handling way as follows, we enter into the function dtls_update_parameters() at the dtls.c:980.
1. 0x4e2b02 in dtls_update_parameters /home/etinydtls/dtls.c:1024:22
2. 0x4e2b02 in handle_handshake_msg /home/etinydtls/dtls.c:3403:11
3. 0x4cb1ce in handle_handshake /home/etinydtls/dtls.c:3493:14
4. 0x4cb1ce in dtls_handle_message /home/etinydtls/dtls.c:3881:13
5. 0x4c4efc in dtls_handle_read /home/etinydtls/tests/dtls-server.c:177:10
6. 0x4c4efc in main /home/etinydtls/tests/dtls-server.c:352:2
7. 0x7fb176ab10b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
8. 0x41c45d in _start (/home/etinydtls/tests/dtls-server+0x41c45d)

When coming to dtls.c:1005 in the function dtls_update_parameters(), variable i is assigned to an int number, which stands for all cipher suites' length 3 in this message. After that, the condition data_length < i + sizeof(uint16) cannot refuse this packet cannot exclude this packet, as 4+26 < 3+2 is not satisfied. Hence, we come to the loop of confirming suites at the dtls.c:1023, where i is decreased by 2 each loop. The ending loop condition includes (i == 0), while the initial value of i is 3 thereby this condition will not be satisfied. Unfortunately, one infinite loop incurs, which lets the server loop forever until consuming all resources.
Comment 2 Jerry Testing CLA 2021-08-09 12:26:08 EDT 
This bug exists through 0.9-rc1.
Comment 3 Jerry Testing CLA 2021-08-09 12:41:26 EDT 
Through Eclipse tinydtls v0.9-rc1, an infinite loop bug had been found during handling ClientHello handshake message. This bug allows remote attackers to cause a denial of service via sending a malformed ClientHello handshake message with an odd cipher suites' length, which triggers an infinite loop until consuming all resources and buffer over-read to disclose sensitive information. 

Suppose you have a malicious ClientHello message with the following values for the mentioned fields:
1. Cipher Suites Length is an odd number like 3 (this is a malicious number)
2. Two Suites whose length is 4 bytes
3. Extension Length whose length is not zero like 26 bytes

After handling this message in the normal handling way as follows, we enter into the function dtls_update_parameters() at the dtls.c:980.
1. 0x4e2b02 in dtls_update_parameters /home/etinydtls/dtls.c:1024:22
2. 0x4e2b02 in handle_handshake_msg /home/etinydtls/dtls.c:3403:11
3. 0x4cb1ce in handle_handshake /home/etinydtls/dtls.c:3493:14
4. 0x4cb1ce in dtls_handle_message /home/etinydtls/dtls.c:3881:13
5. 0x4c4efc in dtls_handle_read /home/etinydtls/tests/dtls-server.c:177:10
6. 0x4c4efc in main /home/etinydtls/tests/dtls-server.c:352:2
7. 0x7fb176ab10b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
8. 0x41c45d in _start (/home/etinydtls/tests/dtls-server+0x41c45d)

When coming to dtls.c:1005 in the function dtls_update_parameters(), variable i is assigned to an int number, which stands for all cipher suites' length 3 in this message. After that, the condition data_length < i + sizeof(uint16) cannot refuse this packet cannot exclude this packet, as 4+26 < 3+2 is not satisfied. Hence, we come to the loop of confirming suites at the dtls.c:1023, where i is decreased by 2 each loop. The ending loop condition includes (i == 0), while the initial value of i is 3 thereby this condition will not be satisfied. Unfortunately, dtls server loops forever with unreachable exit conditions.
Comment 4 Wayne Beaton CLA 2021-08-09 13:24:34 EDT 
/cc project lead.

Note that the Tinydtls component is archived and we don't get notifications of issue reports filed against it. In the future, file directly against Community/Vulnerability Reports.
Comment 5 Wayne Beaton CLA 2021-08-16 13:50:15 EDT 
Project team: there's help in the handbook [1] regarding how we handle vulnerability reports.

[1] https://www.eclipse.org/projects/handbook/#vulnerability
Comment 6 Frederic Gurr CLA 2021-12-23 06:47:37 EST 
This issue has been migrated to https://gitlab.eclipse.org/eclipsefdn/helpdesk/-/issues/607.