Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix for buffer overflow in BLE L2CAP #1662

Merged
merged 2 commits into from Oct 27, 2021
Merged

Conversation

mo-bl
Copy link
Contributor

@mo-bl mo-bl commented Oct 12, 2021

This PR fixes a buffer overflow in the BLE L2CAP credit-based flow control.

The overflow occurs in the input_l2cap_frame_flow_channel function, as an adversary is able to control the amount of data copied by memcpy (source).

To fix this issue I suggest to:

  • Add a condition for the first fragment that checks, whether the received payload_len is larger than BLE_L2CAP_NODE_MTU, which is the length of the destination array.
  • Add an integer overflow resistant condition for the subsequent fragments that checks, whether the sum of the received payload_len of the current fragment and the current_index of the rx_buffer is larger than BLE_L2CAP_NODE_MTU, which is the length of the destination array.

In both cases illegal frames are simply dropped.

@nvt
Copy link
Member

nvt commented Oct 22, 2021

Thanks for the fix, which checks that the destination buffer has enough space. While inspecting the code, it appears that it lacks more checks on length values extracted from input packets. This includes the frame_len (which should be checked against the available source data length data_len) and the channel->rx_buffer.sdu_length values. It is not necessary to fix it in this pull request, however.

@nvt nvt merged commit ea66afa into contiki-ng:develop Oct 27, 2021
17 checks passed
@Scepticz
Copy link
Contributor

Scepticz commented Dec 7, 2021

The merge of this pull request fixes the issue of a previously reserved CVE:
CVEID: 2020-12140
PRODUCT: Contiki-NG
VERSION: the issue affects versions 4.7 and earlier
PROBLEM TYPE: Memory Corruption allowing Remote Code Execution due to Buffer Overflow
DESCRIPTION: A buffer overflow in os/net/mac/ble/ble-l2cap.c in the BLE stack in Contiki-NG 4.7 and earlier
allows an attacker to execute arbitrary code via malicious L2CAP frames.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants