You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Parser of NDNTLV accepts Length field of the Name without any checks.
Therefore, it is possible, that the value of the length flied of a component of a prefix and the actual size of the component differ.
in ccnl-pkt/ccnl-pkt-ndntlv.c:
This issue can lead to a out of bound memory access, when executing ccnl_ndntlv_dehead again.
Additionally, on many places CCN-lite assumes, that the length of the prefix is always correct.
By not having the length matching the actual component length, buffer overflows or out of bound memory accesses can occur on many places, e.g.:
ccnl_prefix_dup: buffer overflow, memcpy(p->bytes + len, prefix->comp[i], p->complen[i]); copies to many bytes if p->complen[i]) > len(prefix->comp[i]), which can lead to a buffer overflow of p->bytes.
ccnl_prefix_cmp: out of bound memory access, if (clen != nam->complen[i] || memcmp(comp, nam->comp[i], nam->complen[i])).
ccnl_prefix_debug_info: out of bound memory access, len += snprintf(buf + len, CCNL_MAX_PACKET_SIZE - len, "%.*s", p->complen[i], p->comp[i]);.
The text was updated successfully, but these errors were encountered:
blacksheeep
changed the title
NDNTLV parser accepts Length field of the Name without any checks
[CVE-2018-6953] NDNTLV parser accepts Length field of the Name without any checks
Feb 14, 2018
The Parser of NDNTLV accepts Length field of the Name without any checks.
Therefore, it is possible, that the value of the length flied of a component of a prefix and the actual size of the component differ.
in
ccnl-pkt/ccnl-pkt-ndntlv.c
:This issue can lead to a out of bound memory access, when executing ccnl_ndntlv_dehead again.
Additionally, on many places CCN-lite assumes, that the length of the prefix is always correct.
By not having the length matching the actual component length, buffer overflows or out of bound memory accesses can occur on many places, e.g.:
ccnl_prefix_dup
: buffer overflow,memcpy(p->bytes + len, prefix->comp[i], p->complen[i]);
copies to many bytes ifp->complen[i]) > len(prefix->comp[i])
, which can lead to a buffer overflow ofp->bytes
.ccnl_prefix_cmp
: out of bound memory access,if (clen != nam->complen[i] || memcmp(comp, nam->comp[i], nam->complen[i]))
.ccnl_prefix_debug_info
: out of bound memory access,len += snprintf(buf + len, CCNL_MAX_PACKET_SIZE - len, "%.*s", p->complen[i], p->comp[i]);
.The text was updated successfully, but these errors were encountered: