[tinydtls-dev] There may be some null-dereference bugs in dtls.c

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[tinydtls-dev] There may be some null-dereference bugs in dtls.c

From: Tuo Li <tuoli96@xxxxxxxxxxx>
Date: Wed, 9 Sep 2020 08:46:04 +0000
Accept-language: zh-CN, en-US
Arc-authentication-results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
Arc-message-signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=B5gdgD4stwbeBOW6h+SHrOnk5LTT6aEEIyiLNjMj9M0=; b=mW1excKTo6SQcqDp2C2sZcG1eolR/iRIYJOJWR98qZl8j90/W17eZ9qxkbdDPi2GCIQ7BHY0LV+NLU3mwxNlOB7eJLYtXlJQwt20yeb0tGBM1Cmd79L3w87cEgWDGma3tqFXJ3HEvaWuKMHdc+UwBMR8kiag5VYCA8/gAlZ5tqlAwz+HSt4xNHiot5Xkix0nuX5P2JxB/brxQ/LMqH+uDSB6pfWntOF90OumvMuXXwV+cQ1qtXqlC/l0Tnk/ATkJY+jMHlj6FtGhR1pBY3EeSMoiVp2VNmirH7eQ22llZvoR1RBLhroJxAeq/I+fblEX5v/2hnnGM+JXlGbNKk1zBg==
Arc-seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=CM87ec1K2FW/fjaFj+yAxrv4iWVXGYX0N/AnuVtn8VSJBowXpQ0vsA9x8JCX+0/LUtONLaDm1O0IwJWmdo9Y5TiUxS8YNQTZzSes7hrm78+r7JoG7uGFeeK60xTbX0wWYupKeSbxRdsfrgZcu1nnWAHfxG1Aw48yXRyQ0BnFNj/0SkjBn/qFoErpWU4MbpxCccSYt2xTybw99XYSgbFzNudybz9g/IZFP8jGQsHQWrxmZMutB5AuDZqsBnKpbo8p5MdW+EXkF/rnFTJqvmbCLsiAxz+fH87xVbtZBqVaatajlScZreSVb+Qwq2BgX3R5tUGx+J8c0/mhn/Lt+wNyUA==
Delivered-to: tinydtls-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/tinydtls-dev>
List-help: <mailto:tinydtls-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/tinydtls-dev>, <mailto:tinydtls-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/tinydtls-dev>, <mailto:tinydtls-dev-request@eclipse.org?subject=unsubscribe>
Thread-index: AQHWhoRsLBh4ol+lFUOK0qllUsjW4Q==
Thread-topic: There may be some null-dereference bugs in dtls.c

Hello!

In handle_handshake_msg(), the variable peer is checked in:

if (peer) {

dtls_stop_retransmission(ctx, peer);

}

This indicates that peer can be NULL.

If so, some null-dereference bugs will occur in handle_handshake_msg().

peer is also checked in line 3436:

if (peer && !peer->handshake_params)

and it is dereferenced in line 3451:

peer->state = DTLS_STATE_CLIENTHELLO;

Thanks!

Tuo Li

Follow-Ups:
- Re: [tinydtls-dev] There may be some null-dereference bugs in dtls.c
  - From: Olaf Bergmann

Prev by Date: Re: [tinydtls-dev] Buffer overflow in certificate request message
Next by Date: Re: [tinydtls-dev] There may be some null-dereference bugs in dtls.c
Previous by thread: [tinydtls-dev] Buffer overflow in certificate request message
Next by thread: Re: [tinydtls-dev] There may be some null-dereference bugs in dtls.c
Index(es):
- Date
- Thread

Breadcrumbs