Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
[tinydtls-dev] Buffer overflow in certificate request message

Dear tinydtls development team —

I have detected a buffer overflow vulnerability while handling a malformed certificate request message during fuzz testing against tinydtls.

# Affected function
check_certificate_request() in dtls.c

# Vulnerability details

i = dtls_uint16_to_int(data);

in [1] evaluates to 1, variable "i" underflows during the decrement in the subsequent loop:

(i -= sizeof(uint16) ==  4294967295) )

which causes "data" to overflow in [2].

# Test harness
Please find attached a test harness as well as a crash file.

Please let me know if this is the correct channel to report this security issue or if you need further information to reproduce the issue.



    -Stephan Zeisberg

Stephan Zeisberg, Security Research Labs
stephan@xxxxxxxxx, +

Attachment: dtls.crash
Description: Binary data

#include <stdio.h>
#include <stdlib.h>
#include <stdint.h>
#include <unistd.h>

#define MAX_READ_BUF 2000

#include "session.h"
#include "dtls.h"

static dtls_context_t *dtls_context = NULL;

int main(int argc, char **argv) {
    session_t session;
    static uint8_t buf[MAX_READ_BUF];
    int len;

    memset(&session, 0, sizeof(session_t));
    session.size = sizeof(session.addr);
    dtls_context = dtls_new_context(NULL);
    dtls_connect(dtls_context, &session);
    len = read(0, buf, MAX_READ_BUF);
    dtls_handle_message(dtls_context, &session, buf, len);
    return 0;

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Back to the top