Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Out of bounds memory access in SNMP BER decoder/encoder routines #1354

Open
mjurczak opened this issue Aug 17, 2020 · 1 comment
Open

Out of bounds memory access in SNMP BER decoder/encoder routines #1354

mjurczak opened this issue Aug 17, 2020 · 1 comment

Comments

@mjurczak
Copy link
Contributor

Description of defect

References:
https://github.com/contiki-ng/contiki-ng/tree/release/v4.5
https://github.com/contiki-ng/contiki-ng/tree/release/v4.4

File:

snmp-engine.c

Analysis:

Memory access out of buffer boundaries may occur if an SNMP ASN.1 BER encoder/decoder routines.

The length of provided input/output buffers is insufficiently verified when encoding and decoding data. Lack of boundary checks may lead to out-of-bounds buffer read or write access.

Example functions that make access to memory without prior verification of sufficient input data length:

snmp_ber_decode_type(unsigned char *buff, uint32_t *buff_len, uint8_t *type)

snmp_ber_decode_length(unsigned char *buff, uint32_t *buff_len, uint8_t *length)

snmp_ber_decode_integer(unsigned char *buf, uint32_t *buff_len, uint32_t *num)

snmp_ber_decode_unsigned_integer(unsigned char *buf, uint32_t *buff_len, uint8_t expected_type, uint32_t *num)

snmp_ber_decode_null(unsigned char *buf, uint32_t *buff_len)

Type:

  • Out-of-bounds memory access

Result:

  • Memory corruption
  • Invalid memory read access

Target(s) affected by this defect ?

  • contiki-ng v4.5
  • contiki-ng v4.4
@g-oikonomou
Copy link
Member

@Yagoor @mjurczak: Am I right to assume that this has been fixed in #1355 and/or #1397? Can we close?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants