[CVE-2018-7039] buffer overflow in ccnl_ndntlv_prependBlob

[mfrey]

trafficstars

Hi,

I think that there are multiple issues with various ccnl_<packetformat>_prependBlob functions. I've picked the ccnl_ndntlv_prependBlob as an example.

The len parameter refers to the size of the blob and offset to the position where the data in blob should be written to buf. The function returns -1 if the offset is lower than the size of the blob which is prepended to the buffer (basically if somebody tries to write before the buffer (buffer underwrite)).

445 int
446 ccnl_ndntlv_prependBlob(int type, unsigned char *blob, int len,
447                         int *offset, unsigned char *buf)
448 {
449     int oldoffset = *offset;
450 
451     if (*offset < len)
452         return -1;
453     memcpy(buf + *offset - len, blob, len);

I've made a short illustration depicting valid input parameters and the result after the memcpy operation.

Do you agree? Also, the function lacks the size of the buffer which would allow a better error handling/invalid parameters.

TIA Michael

[mfrey]

After a brief discussion we agreed that this not vulnerability but a bug. As far as I can see throughout the code base ccnl_ndntlv_prependBlob is used with safe parameter settings, but we should fix the function for future developers/users.

[blacksheeep]

After additional discussion, we have to add a vulnerability tag again. This is a remote vulnerability. By adding incorrect TLV information, it is possible that the length of a component inside prefix does not correspond to the allocated data. Therefore, name->complen[cnt] can be < 0, since the length field of a NDNTLV can have up to 64bit, while name->complen[cnt] is only a 32bit integer.

508        if (ccnl_ndntlv_prependBlob(NDN_TLV_NameComponent, name->comp[cnt],
509           name->complen[cnt], offset, buf) < 0)

To fix that, we have to change the type of complen to uint64_t inside ccnl_prefix_s.