Memory corruption (free on invalid pointer) while parsing DTLS messages
jakub-botwicz opened this issue · 2 comments
MatrixSSL DTLS server (in versions: 4.2.1 Open and 4.1.0 Open) incorrectly handles incoming network messages leading to memory corruption issue, resulting in crash of the server.
Proposed CVSS 3.0 score:
7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Error message WITHOUT Address Sanitizer:
matrixssl-4-2-1-open$ apps/dtls/dtlsServer -p 44444
DTLS server running on port 44444
Select woke 1
Sent 44 bytes
Select woke 1
Got REQUEST_RECV from ReceivedData
Select woke 1
*** Error in `apps/dtls/dtlsServer': free(): invalid pointer: 0x000000000224ae10 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f33eff327e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f33eff3b37a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f33eff3f53c]
apps/dtls/dtlsServer[0x403804]
apps/dtls/dtlsServer[0x40be10]
apps/dtls/dtlsServer[0x4082b6]
apps/dtls/dtlsServer[0x4023dc]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f33efedb830]
apps/dtls/dtlsServer[0x402969]
======= Memory map: ========
00400000-004a3000 r-xp 00000000 fd:01 273412 matrixssl-4-2-1-open/apps/dtls/dtlsServer
006a2000-006a3000 r--p 000a2000 fd:01 273412 matrixssl-4-2-1-open/apps/dtls/dtlsServer
006a3000-006a4000 rw-p 000a3000 fd:01 273412 matrixssl-4-2-1-open/apps/dtls/dtlsServer
006a4000-006a5000 rw-p 00000000 00:00 0
02249000-0226a000 rw-p 00000000 00:00 0 [heap]
7f33e8000000-7f33e8021000 rw-p 00000000 00:00 0
7f33e8021000-7f33ec000000 ---p 00000000 00:00 0
7f33efca5000-7f33efcbb000 r-xp 00000000 fd:01 2039 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f33efcbb000-7f33efeba000 ---p 00016000 fd:01 2039 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f33efeba000-7f33efebb000 rw-p 00015000 fd:01 2039 /lib/x86_64-linux-gnu/libgcc_s.so.1
7f33efebb000-7f33f007b000 r-xp 00000000 fd:01 28237 /lib/x86_64-linux-gnu/libc-2.23.so
7f33f007b000-7f33f027b000 ---p 001c0000 fd:01 28237 /lib/x86_64-linux-gnu/libc-2.23.so
7f33f027b000-7f33f027f000 r--p 001c0000 fd:01 28237 /lib/x86_64-linux-gnu/libc-2.23.so
7f33f027f000-7f33f0281000 rw-p 001c4000 fd:01 28237 /lib/x86_64-linux-gnu/libc-2.23.so
7f33f0281000-7f33f0285000 rw-p 00000000 00:00 0
7f33f0285000-7f33f029d000 r-xp 00000000 fd:01 28170 /lib/x86_64-linux-gnu/libpthread-2.23.so
7f33f029d000-7f33f049c000 ---p 00018000 fd:01 28170 /lib/x86_64-linux-gnu/libpthread-2.23.so
7f33f049c000-7f33f049d000 r--p 00017000 fd:01 28170 /lib/x86_64-linux-gnu/libpthread-2.23.so
7f33f049d000-7f33f049e000 rw-p 00018000 fd:01 28170 /lib/x86_64-linux-gnu/libpthread-2.23.so
7f33f049e000-7f33f04a2000 rw-p 00000000 00:00 0
7f33f04a2000-7f33f04c8000 r-xp 00000000 fd:01 28169 /lib/x86_64-linux-gnu/ld-2.23.so
7f33f06b3000-7f33f06b7000 rw-p 00000000 00:00 0
7f33f06c6000-7f33f06c7000 rw-p 00000000 00:00 0
7f33f06c7000-7f33f06c8000 r--p 00025000 fd:01 28169 /lib/x86_64-linux-gnu/ld-2.23.so
7f33f06c8000-7f33f06c9000 rw-p 00026000 fd:01 28169 /lib/x86_64-linux-gnu/ld-2.23.so
7f33f06c9000-7f33f06ca000 rw-p 00000000 00:00 0
7ffd7dc33000-7ffd7dc54000 rw-p 00000000 00:00 0 [stack]
7ffd7dc77000-7ffd7dc7a000 r--p 00000000 00:00 0 [vvar]
7ffd7dc7a000-7ffd7dc7c000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
Aborted
Reproduction:
-
Download and compile MatrixSSL 4.2.1 OPEN (or earlier).
-
Run DTLS server:
cd matrixssl-4-2-1-open
apps/dtls/dtlsServer -p 44444 -
Unzip and send attached crafted message e.g. using netcat:
netcat -u $IP 44444 < payload_matrixssl_003.raw
where $IP is IP of test server
We are currently preparing a new release of MatrixSSL, including fixes for these reported DTLS issues.
Do you wish to be acknowledged in the changelogs and if so, under what name (and organization)?
Yes - please use following info: "Jakub Botwicz (Samsung R&D Poland)"