[lwip-devel] [bug #61479] MQTT: DoS caused by unsigned integer overflow

[Hyeonsu Kim]

URL:
  <https://savannah.nongnu.org/bugs/?61479>

                 Summary: MQTT: DoS caused by unsigned integer overflow
                 Project: lwIP - A Lightweight TCP/IP stack
            Submitted by: icekrim
            Submitted on: Sun 14 Nov 2021 06:31:19 AM UTC
                Category: Security-related
                Severity: 3 - Normal
              Item Group: Crash Error
                  Status: None
                 Privacy: Public
             Assigned to: None
             Open/Closed: Open
         Discussion Lock: Any
         Planned Release: None
            lwIP version: git head

    _______________________________________________________

Details:

Summary:
Integer overflow in mqtt_parse_incoming of src/apps/mqtt/mqtt.c allows
attackers to perform a Denial of Service via MQTT packet with fixed header
length of 256 bytes or more

Description:

mqtt.c 866

while (p->tot_len > in_offset) {
if ((fixed_hdr_len < 2) || ((b & 0x80) != 0)) {
  if (fixed_hdr_len < client->msg_idx) {
    b = client->rx_buffer[fixed_hdr_len];
  } else {
    b = pbuf_get_at(p, in_offset++);
    client->rx_buffer[client->msg_idx++] = b;
  }
  fixed_hdr_len++;
  if (fixed_hdr_len >= 2) {
    msg_rem_len |= (u32_t)(b & 0x7f) << ((fixed_hdr_len - 2) * 7);
    if ((b & 0x80) == 0) {

....

If it receives a packet of 256 bytes with b & 80 == 1, it goes into an
infinite loop and the device stops. (like [0x80]*256)

This is because fixed_hdr_len, which is a u8 type, can never be larger than
client->msg_idx (in this case 256), so in_offset cannot be increased.

I have completed the POC on the stm32 board I have personally, and I will
prepare linux porting if necessary. Thank you.




    _______________________________________________________

Reply to this item at:

  <https://savannah.nongnu.org/bugs/?61479>

_______________________________________________
  Message sent via Savannah
  https://savannah.nongnu.org/