gnrc_tcp: option parsing doesn't terminate on all inputs, potential DOS #12086
Labels
Area: network
Area: Networking
Type: bug
The issue reports a bug / The PR fixes a bug (including spelling errors)
Description
The
gnrc_tcpparser for TCP options (_option_parse) doesn't terminate on all inputs. When sending a packet with an unknown option and option length zero it doesn't advance the option pointer (i.e. advances it by zero) and therefore stays in the loop forever.RIOT/sys/net/gnrc/transport_layer/tcp/gnrc_tcp_option.c
Lines 63 to 68 in a9da0dc
Steps to reproduce the issue
tapas followsip addr add 2001:db8::affe:1/64 dev tap0sys/net/gnrc/transport_layer/tcp/gnrc_tcp_option.ctests/gnrc_tcp_server/using:TCP_SERVER_ADDR="2001:db8::affe:2" make -C tests/gnrc_tcp_server/tests/gnrc_tcp_serverusing:make -C tests/gnrc_tcp_server termFor example using
./tcp-zero-option.py "2001:db8::affe:2" 80Expected results
The application should parse the unknown option once.
Actual results
The application parses the unknown option an infinite amount of times. Example output:
Impact
Denial of service, possibly allowing battery drain, et cetera.
The text was updated successfully, but these errors were encountered: