Hello all,
As mentioned in previous emails, the following code represents a security risk, because keys would be truncated at the first zero-valued octet.
Also, the behavior is UNDEFINED, when there is no zero after the the psk buffer.
Please fix.
Thanks
Frank Gerlach
--- a/examples/client/object_security.c
+++ b/examples/client/object_security.c
@@ -507,7 +507,10 @@ lwm2m_object_t * get_security_object(int serverId,
targetP->securityMode = LWM2M_SECURITY_MODE_PRE_SHARED_KEY;
targetP->publicIdentity = strdup(bsPskId);
targetP->publicIdLen = strlen(bsPskId);
- targetP->secretKey = strdup(psk);
+ targetP->secretKey = malloc(pskLen+1);
+ targetP->secretKey[pskLen]=0;//make sure some other dirty code does not crash
+ memcpy(targetP->secretKey,psk,pskLen);
+ //WRONG: targetP->secretKey = strdup(psk);
Frank Gerlach
Senior Software Engineer
Office: +375
17 389 0100
x 23178
Cell: +375
29 877 4976
Email: frank_gerlach@xxxxxxxx
Minsk, Belarus (GMT+3)
epam.com
CONFIDENTIALITY CAUTION AND DISCLAIMER
This message is intended only for the use of the individual(s) or entity(ies) to which it is addressed and contains information that is legally privileged and confidential. If you are not the intended recipient, or the person responsible for delivering the
message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. All unintended recipients are obliged to delete this message and destroy any printed copies.