New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[CVE-2018-6480] - type confusion in ccnl_fwd_handleInterest #159
Comments
|
Also, 70 #ifdef CCNL_RIOT
71 #define CCNL_MAX_NONCES -1 // -1 --> detect dups by PIT
72 #else //!CCNL_RIOT
73 #define CCNL_MAX_NONCES 256 // for detected dups
74 #endif //CCNL_RIOTWhy not stick with a |
|
I can confirm that this can lead to a memory access violation, highly likely a security issue. For the second point, I think the reason is, that the current nonce detection is not really inside the specifications for any packet format. Nevertheless, this is a efficient way to prevent loops. |
|
@blacksheeep was this issue ever addressed? please note that there was a CVE assigned. |
|
No, it's open still. |
Do you plan on addressing this ? |
Hi,
the following code in
ccnl_fwd_handleInterestassumes that the union membersis of typeccnl_pktdetail_ndntlv_s. However, if the type is in fact of typestruct ccnl_pktdetail_ccntlv_sorstruct ccnl_pktdetail_iottlv_s, the memory at that point is either uninitialised or points to data which is not anonce, which renders the code using the local variablenoncepointless.EDIT: There is a check for
nonce != NULLin line 235, but I'm not sure if this is sufficient. If for example(*pkt)->sis of typeccnl_pktdetail_ccntlv_sit points to its sole memberstruct ccnl_buf_s *keyidwhich in turn might not be NULL. Nevertheless, the rest of the following lines in the function assume that the local variable is set to an actual ''nonce'' value.This goes on and on. The function in
ccnl_nonce_isDup(guarded by aUSE_DUP_CHECK) also starts to iterate over the pit and checks if the (maybe non-existing nonce field) matches data in the pit, i.e.If this is an issue how do we handle it? I would start writing checks and guards, but I want to make sure that you consider this an issue as well (and I'm not missing a point here).
TIA
Michael
The text was updated successfully, but these errors were encountered: