Memory access out of buffer boundaries may occur if an SNMP request with malformed OID is processed using snmp_oid_cmp_oid(), snmp_oid_encode_oid() or snmp_oid_decode_oid() when parsing a request or assembling a response.
Buffers dedicated to storing OID values used by the SNMP implementation are fixed-size with predefined length configurable at compile time:
the length of OID data is not verified against the input buffer remaining length. The value in the buffer is trusted to indicate correct number of following OID data bytes:
due to the fact that oid_len variable remains uninitialized during the call to the function.
As a result of the above, memory beyond provided input buffer may be read-accessed and memory beyond target buffer capacity may be written if an OID with length larger than SNMP_MSG_OID_MAX_LEN is present in SNMP request message. As the content of write operation is directly provided in the SNMP request, it may be possible to overwrite stack or .bss memory regions with arbitrary content provided in a request with OID length exceeding SNMP_MSG_OID_MAX_LEN limit.
void snmp_oid_copy(uint32_t *dst, uint32_t *src) unsigned char *snmp_oid_encode_oid(unsigned char *out, uint32_t *out_len, uint32_t *oid)
OID copy and encode functions rely on the fact that the decoded OID has been terminated with a null-termination value without verification of the targete buffers capacity. This makes both of the functions vulnerable to similar out-ouf-bounds writes.
Type:
Out-of-bounds memory read
Out-of-bounds memory write
Result:
Memory corruption
Memory write to areas after the target buffer end with arbitrary data
Description of defect
References:
https://github.com/contiki-ng/contiki-ng/tree/release/v4.5
https://github.com/contiki-ng/contiki-ng/tree/release/v4.4
File:
snmp-oid.c
Analysis:
Memory access out of buffer boundaries may occur if an SNMP request with malformed OID is processed using snmp_oid_cmp_oid(), snmp_oid_encode_oid() or snmp_oid_decode_oid() when parsing a request or assembling a response.
Buffers dedicated to storing OID values used by the SNMP implementation are fixed-size with predefined length configurable at compile time:
contiki-ng/os/net/app-layer/snmp/snmp-conf.h
Lines 65 to 75 in 31753fe
All snmp_varbind_t type variables encapsulate an OID buffer of the predefined length:
contiki-ng/os/net/app-layer/snmp/snmp.h
Line 163 in 31753fe
With the following occurences of OID buffers allocation in the SNMP code:
Static allocation in .bss:
contiki-ng/os/net/app-layer/snmp/snmp-engine.c
Line 208 in 31753fe
Stack allocation:
contiki-ng/os/net/app-layer/snmp/snmp-engine.c
Line 120 in 23db957
uint8_t *snmp_oid_decode_oid(uint8_t *buf, uint32_t *buff_len, uint32_t *oid, uint32_t *oid_len)In OID decoding function :
contiki-ng/os/net/app-layer/snmp/snmp-oid.c
Line 126 in 31753fe
the length of OID data is not verified against the input buffer remaining length. The value in the buffer is trusted to indicate correct number of following OID data bytes:
contiki-ng/os/net/app-layer/snmp/snmp-oid.c
Lines 144 to 147 in 31753fe
The result of decoding is used for computing pointer to the end of buffer, which may result in buf_end variable pointing beyond the input message end:
contiki-ng/os/net/app-layer/snmp/snmp-oid.c
Line 149 in 31753fe
as the BER length decoding function does not perform decoded length validation against the input buffer remaining length:
contiki-ng/os/net/app-layer/snmp/snmp-ber.c
Lines 138 to 144 in 31753fe
In addition to the above, the check of provided oid output buffer in snmp_oid_decode_oid:
contiki-ng/os/net/app-layer/snmp/snmp-oid.c
Lines 157 to 160 in 23db957
may not protect against the overflow when called from SNMP request parsing function:
contiki-ng/os/net/app-layer/snmp/snmp-message.c
Line 245 in 23db957
due to the fact that oid_len variable remains uninitialized during the call to the function.
As a result of the above, memory beyond provided input buffer may be read-accessed and memory beyond target buffer capacity may be written if an OID with length larger than SNMP_MSG_OID_MAX_LEN is present in SNMP request message. As the content of write operation is directly provided in the SNMP request, it may be possible to overwrite stack or .bss memory regions with arbitrary content provided in a request with OID length exceeding SNMP_MSG_OID_MAX_LEN limit.
void snmp_oid_copy(uint32_t *dst, uint32_t *src)unsigned char *snmp_oid_encode_oid(unsigned char *out, uint32_t *out_len, uint32_t *oid)OID copy and encode functions rely on the fact that the decoded OID has been terminated with a null-termination value without verification of the targete buffers capacity. This makes both of the functions vulnerable to similar out-ouf-bounds writes.
Type:
Result:
Target(s) affected by this defect ?
Fix
Rudimentary fix to address the most critical aspect of the issue:
https://github.com/mjurczak/contiki-ng/tree/bugfix/snmp-engine
How is this defect reproduced ?
Example code demonstrating memory buffer overflow when decoding OID:
The text was updated successfully, but these errors were encountered: