Three out-of-bound pointers (check_certificate_request)

[bathooman]

Description

• Type: Out of bound pointer
• Priority: High
• The bug affects the develop branch
• This affects the processing of the messages on the client-side.

---

How to trigger

Upon receipt of a Certificate Request message, if the message is maliciously crafted in a way that the value of the Certificate Types Count and Signature Hash Algorithms Length are not within the boundary of the Fragment Length, three out-of-bound pointer de-reference occurs in the following three points:

1. https://github.com/eclipse/tinydtls/blob/main/dtls.c#L3529
2. https://github.com/eclipse/tinydtls/blob/main/dtls.c#L3531
3. https://github.com/eclipse/tinydtls/blob/main/dtls.c#L3508

My suggestion:

There should always be a check that ensures that the fields that represent the size of fields are within the boundary of data_length.

[boaks]

Thanks a lot for reporting!

I see, this function doesn't obey the already processed bytes by subtracting them from data_length.
And, as you report, the size of the length field must also be obeyed, e.g. in L3510, where data + 1 is used instead of data + sizeof(uint16).

I will provide a fix.

[bathooman]

It appears that this bug is fixed in #197. We can close this issue.

[boaks]

Thanks a lot for reporting.
Currently "too many" larger PRs are pending, but I plan to consolidate the parsing in general using the new macros as in PR #198