ndn_name_tlv_decode buffer overflow
Closed this issue · 1 comments
yoursunny commented
As of bdf9cd9, name_component_tlv_decode function invokes:
decoder_get_length(decoder, &name->components[counter].size);
int result = decoder_get_raw_buffer_value(decoder, name->components[counter].value,
name->components[counter].size);
name->components[counter].value is a fixed size buffer. name->components[counter].size comes from network and the function does not check whether it exceeds the buffer capacity.
Therefore, an attacker can trigger a buffer overflow using this function.
Recommendation is invoking name_component_tlv_decode instead of duplicating its logic.
tianyuan129 commented
Commit 513e020 will address this issue. ndn_name_tlv_decode now calls name_component_tlv_decode, which has buffer capacity check, for name components decoding. Thank you for your recommendation.