Skip to content

Reject undersized UDP packets before reading header fields#15

Open
acts-1631 wants to merge 1 commit into
karlkleinpaste:masterfrom
acts-1631:fix/undersized-packet-stack-disclosure
Open

Reject undersized UDP packets before reading header fields#15
acts-1631 wants to merge 1 commit into
karlkleinpaste:masterfrom
acts-1631:fix/undersized-packet-stack-disclosure

Conversation

@acts-1631

Copy link
Copy Markdown

ReceiveInternal formats the received packet's uuid and body into a
diagnostic dump that is passed to the application's nav_func callback,
but there was no minimum length check after recvfrom. A packet shorter
than BSP_HEADER_SIZE (32 bytes) leaves the uuid field and body as
uninitialized stack memory, which then gets formatted into the dump.
MemorySanitizer confirms use-of-uninitialized-value on the uuid read
after a 6-byte recvfrom.

This adds a recv_size < BSP_HEADER_SIZE check right after recvfrom
returns. Undersized packets are reported as an error via nav_func and
skipped before any uninitialized header field is read.

ReceiveInternal calls InitSelectRead (recvfrom) into a stack-allocated
BibleSyncMessage and immediately formats the uuid and body into a
diagnostic dump that is passed to the application's nav_func callback.
There was no minimum length check, so a packet shorter than
BSP_HEADER_SIZE (32 bytes) leaves the uuid field (offsets 16-31) and
body (offset 32+) as uninitialized stack memory, which then gets
formatted into the dump and handed to the application.

MemorySanitizer confirms use-of-uninitialized-value when reading the
uuid field after a 6-byte recvfrom.

Add a recv_size < BSP_HEADER_SIZE check immediately after recvfrom
returns. Undersized packets are reported as an error via nav_func and
skipped before any uninitialized header field is read.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant