ndn_name_tlv_decode buffer overflow

Question

ndn_name_tlv_decode buffer overflow

Closed this issue 6 years ago · 1 comments

As of c9e68ee, ndn_name_tlv_decode function invokes:

int counter = 0;
while (decoder->offset < start_offset + length) {
  uint32_t comp_type = 0;
  decoder_get_type(decoder, &comp_type);
  name->components[counter].type = comp_type;
  ++counter;
}

name->component is a fixed size array. counter is incremented every time a new name component is encountered and the function does not check whether it exceeds the array capacity.
Therefore, an attacker can trigger a buffer overflow using this function.

Answer 1 · 2019-01-10T15:18:31.000Z

Commit bdf9cd9 will address this problem. Thank you for pointing this out.