Memory access out of buffer boundaries may occur if an SNMP bulk get request with number of OIDs larger than supported by the engine is received and processed.
The OIDs listed in a request are processed by snmp_message_decode() function without verification of the varbinds buffer capacity.
The varbinds memory buffer is written with the values provided in SNMP request:
* \brief Default maximum number of OIDs in one response
*/
#defineSNMP_MAX_NR_VALUES2
#endif
SNMP get bulk requests are processed by snmp_engine_get_bulk() function that allocates a local stack buffer for buffering OIDs of the requested variables.
* A local copy of the requested oids must be kept since
* the varbinds are modified on the fly
*/
original_varbinds_length = *varbinds_length;
for(i = 0; i < original_varbinds_length; i++) {
snmp_oid_copy(oid[i], varbinds[i].oid);
}
The varbinds_length variable value is not verified against the capacity of the temporary oid stack buffer. If the number of requested OIDs exceeds the buffer capacity a stack buffer overflow condition occurs and stack memory beyond the allocated oid buffer is overwritten with OIDs received in SNMP get bulk request.
As the OIDs are supplied in the request content it may be possible to alter the return address from the snmp_engine_get_bulk() function. If the target architecture uses common addressing space for program and data memory (which is common in IoT devices) it may also be possible to supply code in the SNMP request payload and redirect the execution path to the injected code by modification of the return address.
Description of defect
References:
https://github.com/contiki-ng/contiki-ng/tree/release/v4.5
https://github.com/contiki-ng/contiki-ng/tree/release/v4.4
File:
snmp-engine.c
snmp-message.c
Analysis:
Memory access out of buffer boundaries may occur if an SNMP bulk get request with number of OIDs larger than supported by the engine is received and processed.
The OIDs listed in a request are processed by snmp_message_decode() function without verification of the varbinds buffer capacity.
The varbinds memory buffer is written with the values provided in SNMP request:
contiki-ng/os/net/app-layer/snmp/snmp-message.c
Line 245 in 23db957
The buffer capacity is determined by:
contiki-ng/os/net/app-layer/snmp/snmp-conf.h
Lines 81 to 87 in 23db957
SNMP get bulk requests are processed by snmp_engine_get_bulk() function that allocates a local stack buffer for buffering OIDs of the requested variables.
contiki-ng/os/net/app-layer/snmp/snmp-engine.c
Lines 116 to 121 in 23db957
The stack buffer in snmp_engine_get_bulk() is populated with OIDs as a first step before any further processing of the data.
contiki-ng/os/net/app-layer/snmp/snmp-engine.c
Lines 123 to 130 in 23db957
The varbinds_length variable value is not verified against the capacity of the temporary oid stack buffer. If the number of requested OIDs exceeds the buffer capacity a stack buffer overflow condition occurs and stack memory beyond the allocated oid buffer is overwritten with OIDs received in SNMP get bulk request.
As the OIDs are supplied in the request content it may be possible to alter the return address from the snmp_engine_get_bulk() function. If the target architecture uses common addressing space for program and data memory (which is common in IoT devices) it may also be possible to supply code in the SNMP request payload and redirect the execution path to the injected code by modification of the return address.
Type:
Result:
Target(s) affected by this defect ?
Fix
Rudimentary fix to address the most critical aspect of the issue:
https://github.com/mjurczak/contiki-ng/tree/bugfix/snmp-engine
How is this defect reproduced ?
An example SNMP request causing stack overwrite:
The text was updated successfully, but these errors were encountered: