| [tinydtls-dev] Buffer overflow in certificate request message |
Dear tinydtls development team —
I have detected a buffer overflow vulnerability while handling a malformed certificate request message during fuzz testing against tinydtls.
# Affected function
check_certificate_request() in dtls.c
# Vulnerability details
If
i = dtls_uint16_to_int(data);
in [1] evaluates to 1, variable "i" underflows during the
decrement in the subsequent loop:
(i -= sizeof(uint16) == 4294967295) )
which causes "data" to overflow in [2].
# Test harness
Please find attached a test harness as well as a crash file.
Please let me know if this is the correct channel to report this security issue or if you need further information to reproduce the issue.
[1] https://github.com/eclipse/tinydtls/blob/master/dtls.c#L2863
[2]
https://github.com/eclipse/tinydtls/blob/master/dtls.c#L2876
Best
-Stephan Zeisberg
-- Stephan Zeisberg, Security Research Labs stephan@xxxxxxxxx, +49.173.258.2698
Attachment:
dtls.crash
Description: Binary data
#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <unistd.h>
#define MAX_READ_BUF 2000
#include "session.h"
#include "dtls.h"
static dtls_context_t *dtls_context = NULL;
int main(int argc, char **argv) {
session_t session;
static uint8_t buf[MAX_READ_BUF];
int len;
memset(&session, 0, sizeof(session_t));
session.size = sizeof(session.addr);
dtls_context = dtls_new_context(NULL);
dtls_connect(dtls_context, &session);
len = read(0, buf, MAX_READ_BUF);
dtls_handle_message(dtls_context, &session, buf, len);
return 0;
}Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature