Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a logical defect that causes a denial of service vulnerability #21

Open
zztytu opened this issue May 14, 2019 · 1 comment

Comments

Projects
None yet
2 participants
@zztytu
Copy link

commented May 14, 2019

src/libnyoci/coap.c lines 58-116:

len = (*buffer & 0x0F);

switch((*buffer >> 4)) {
	default:
		if(key) *key += (*buffer >> 4);
		buffer += 1;
		break;

	case 13:
		buffer += 1;
		if(key)*key += 13+*buffer;
		buffer += 1;
		break;

	case 14:
		buffer += 1;
		if(key)*key += 269+buffer[1]+(buffer[0]<<8);

		buffer += 2;
		break;

	case 15:
		// End of option marker...?
		// TODO: Fail harder if len doesn't equal 15 as well!
		if (key) *key = COAP_OPTION_INVALID;
		if (value) *value = NULL;
		if (lenP) *lenP = 0;
		return NULL;
		break;
}

switch(len) {
	default:
		break;

	case 13:
		len = 13 + *buffer;
		buffer += 1;
		break;

	case 14:
		len = 269+buffer[1]+(coap_size_t)(buffer[0]<<8);
		buffer += 2;
		break;

	case 15:
		// End of option marker...?
		// TODO: Fail harder if len doesn't equal 15 as well!
		if(key)*key = COAP_OPTION_INVALID;
		if(value)*value = NULL;
		if(lenP)*lenP = 0;
		return NULL;
		break;
}

if(lenP) *lenP = len;
if(value) *value = buffer;

return (uint8_t*)buffer + len;

If the data packet is processed as shown below
image
Then the function coap_decode_option will set the length parameter to 0,and the value_len in the function nyoci_inbound_option_strequal in src/libnyoci/nyoci-inbound.c is 0(lines 157-168)

	coap_decode_option(self->inbound.this_option, &curr_key, (const uint8_t**)&value, &value_len);

	if (curr_key != key) {
		return false;
	}

	for (i = 0; i < value_len; i++) {
		if(!cstr[i] || (value[i] != cstr[i])) {
			return false;
		}
	}
	return cstr[i]==0;
}

If value_len is 0, the subsequent loop is not executed (line 163), and if the second argument cstr is an empty string, the return value is true (normal logic will return false in the loop)
The function nyoci_node_list_request_handler in src/libnyociextra/nyoci-list.c for handling requests calls nyoci_inbound_option_strequal_const, and the second argument passed in is an empty string(lines 85-89).

	if (nyoci_inbound_option_strequal_const(COAP_OPTION_URI_PATH,"")) {
		// Eat the trailing '/'.
		nyoci_inbound_next_option(NULL, NULL);
		if(prefix[0]) prefix = NULL;
	}

Therefore, the special data packet will pass the judgment, the program will enter the assignment to the variable prefix (the variable prefix is ​​empty at this time), and the program eventually crashes.

Listening on port 5683
Segmentation fault

@darconeous darconeous self-assigned this May 20, 2019

@darconeous

This comment has been minimized.

Copy link
Owner

commented May 20, 2019

Yep, that's a pretty clear logic error. Will fix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.