Analysis:
Memory access out of buffer boundaries may occur if an SNMP request with number of OIDs larger than supported by the engine is received and processed.
The OIDs listed in a request are processed by snmp_message_decode() function without verification of the varbinds buffer capacity.
The buffer is allocated in .bss as a static variable:
* \brief Default maximum number of OIDs in one response
*/
#defineSNMP_MAX_NR_VALUES2
#endif
If the number of variables in the request exceeds the allocated buffer a memory write out of the buffer boundaries occurs. The write operation beyond the buffer capacity provides possibility to overwrite other variables allocated in the .bss section by the application.
As the sender of the frame is in controll of the content that will be written beyond the buffer limits and there is no strict process memory separation in contiki-ng, this issue may allow overwriting of sensitive memory areas of IoT device.
Type:
Out-of-bounds memory write
Result:
Memory corruption
Memory write to initialized variables segment with arbitrary data
Description of defect
References:
https://github.com/contiki-ng/contiki-ng/tree/release/v4.5
https://github.com/contiki-ng/contiki-ng/tree/release/v4.4
File:
snmp-engine.c
snmp-message.c
Analysis:
Memory access out of buffer boundaries may occur if an SNMP request with number of OIDs larger than supported by the engine is received and processed.
The OIDs listed in a request are processed by snmp_message_decode() function without verification of the varbinds buffer capacity.
The buffer is allocated in .bss as a static variable:
contiki-ng/os/net/app-layer/snmp/snmp-engine.c
Line 208 in 23db957
The varbinds memory buffer is written with the values provided in SNMP request:
contiki-ng/os/net/app-layer/snmp/snmp-message.c
Line 245 in 23db957
The buffer capacity is determined at compile time by the following definition:
contiki-ng/os/net/app-layer/snmp/snmp-conf.h
Lines 81 to 87 in 23db957
If the number of variables in the request exceeds the allocated buffer a memory write out of the buffer boundaries occurs. The write operation beyond the buffer capacity provides possibility to overwrite other variables allocated in the .bss section by the application.
As the sender of the frame is in controll of the content that will be written beyond the buffer limits and there is no strict process memory separation in contiki-ng, this issue may allow overwriting of sensitive memory areas of IoT device.
Type:
Result:
Target(s) affected by this defect ?
Fix
Rudimentary fix to address the most critical aspect of the issue:
https://github.com/mjurczak/contiki-ng/tree/bugfix/snmp-engine
How is this defect reproduced ?
An example hex-encoded SNMP request causing out-of-bounds memory write to varbinds:
The text was updated successfully, but these errors were encountered: