ndn_signature_value_tlv_decode buffer overflow

Question

ndn_signature_value_tlv_decode buffer overflow

Closed this issue 6 years ago · 1 comments

As of a2891e9, ndn_signature_value_tlv_decode function invokes:

decoder_get_length(decoder, &signature->sig_size);
decoder_get_raw_buffer_value(decoder, signature->sig_value, signature->sig_size);

signature->sig_value is a fixed size buffer. signature->sig_size comes from network and the function does not check whether it exceeds the buffer capacity.
Therefore, an attacker can trigger a buffer overflow using this function.

Answer 1 · 2019-01-11T20:08:45.000Z

Commit 1097c03 will address this problem. Thank you for pointing this out.