[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[lwip-devel] [bug #61479] MQTT: DoS caused by unsigned integer overflow
From: |
Hyeonsu Kim |
Subject: |
[lwip-devel] [bug #61479] MQTT: DoS caused by unsigned integer overflow |
Date: |
Sun, 14 Nov 2021 01:31:20 -0500 (EST) |
User-agent: |
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.44 |
URL:
<https://savannah.nongnu.org/bugs/?61479>
Summary: MQTT: DoS caused by unsigned integer overflow
Project: lwIP - A Lightweight TCP/IP stack
Submitted by: icekrim
Submitted on: Sun 14 Nov 2021 06:31:19 AM UTC
Category: Security-related
Severity: 3 - Normal
Item Group: Crash Error
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Discussion Lock: Any
Planned Release: None
lwIP version: git head
_______________________________________________________
Details:
Summary:
Integer overflow in mqtt_parse_incoming of src/apps/mqtt/mqtt.c allows
attackers to perform a Denial of Service via MQTT packet with fixed header
length of 256 bytes or more
Description:
mqtt.c 866
while (p->tot_len > in_offset) {
if ((fixed_hdr_len < 2) || ((b & 0x80) != 0)) {
if (fixed_hdr_len < client->msg_idx) {
b = client->rx_buffer[fixed_hdr_len];
} else {
b = pbuf_get_at(p, in_offset++);
client->rx_buffer[client->msg_idx++] = b;
}
fixed_hdr_len++;
if (fixed_hdr_len >= 2) {
msg_rem_len |= (u32_t)(b & 0x7f) << ((fixed_hdr_len - 2) * 7);
if ((b & 0x80) == 0) {
....
If it receives a packet of 256 bytes with b & 80 == 1, it goes into an
infinite loop and the device stops. (like [0x80]*256)
This is because fixed_hdr_len, which is a u8 type, can never be larger than
client->msg_idx (in this case 256), so in_offset cannot be increased.
I have completed the POC on the stm32 board I have personally, and I will
prepare linux porting if necessary. Thank you.
_______________________________________________________
Reply to this item at:
<https://savannah.nongnu.org/bugs/?61479>
_______________________________________________
Message sent via Savannah
https://savannah.nongnu.org/
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [lwip-devel] [bug #61479] MQTT: DoS caused by unsigned integer overflow,
Hyeonsu Kim <=