Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Out of bounds multicast group ID can cause memory corruption #1275

Closed
gregbreen opened this issue Mar 1, 2022 · 5 comments
Closed

Out of bounds multicast group ID can cause memory corruption #1275

gregbreen opened this issue Mar 1, 2022 · 5 comments
Milestone
Release Version 4...

Comments

@gregbreen
Copy link

In handling several of the multicast package commands, the code uses the group ID directly from the incoming payload, and indexes into McSessionData array without range checking the ID value. For example:

            case REMOTE_MCAST_SETUP_MC_GROUP_SETUP_REQ:
            {
                uint8_t id = mcpsIndication->Buffer[cmdIndex++];
                McSessionData[id].McGroupData.IdHeader.Value = id;

                McSessionData[id].McGroupData.McAddr =  ( mcpsIndication->Buffer[cmdIndex++] << 0  ) & 0x000000FF;
                McSessionData[id].McGroupData.McAddr += ( mcpsIndication->Buffer[cmdIndex++] << 8  ) & 0x0000FF00;
                McSessionData[id].McGroupData.McAddr += ( mcpsIndication->Buffer[cmdIndex++] << 16 ) & 0x00FF0000;
                McSessionData[id].McGroupData.McAddr += ( mcpsIndication->Buffer[cmdIndex++] << 24 ) & 0xFF000000;

This is fine if LORAMAC_MAX_MC_CTX is 4. (Although in the above example, id could be as much as 255.) However if LORAMAC_MAX_MC_CTX is changed to a lower value (such as 1 in the STM32CubeWL firmware), this can be more problematic. The out of bounds array write occurs before an IDerror is determined.

If you agree, then REMOTE_MCAST_SETUP_MC_GROUP_CLASS_C_SESSION_REQ and REMOTE_MCAST_SETUP_MC_GROUP_CLASS_B_SESSION_REQ have a similar vulnerability. They are both ANDed with 0x03, but that has the assumption that LORAMAC_MAX_MC_CTX is 4.
@MarekNovakACRIOS
Copy link
Contributor

I have met a similar problem here - #1277

@mluis1 mluis1 added this to the Release Version 4.7.0 milestone Mar 21, 2022
@mluis1
Copy link
Contributor

mluis1 commented Mar 21, 2022

Thanks for reporting this issue.
We will try to fix it for next release. Or maybe you could propose a PR to fix it.

@mluis1
Copy link
Contributor

mluis1 commented Jun 15, 2022

@gregbreen and @MarekNovakACRIOS Would it be possible for your to test the below attached patch.

I think it should fix the observed issue. However I did not had the time yet to verify it.

Your feedback are welcome.

Thanks in advance.

mc_setup_out_of_bounds_check.patch.txt

@gregbreen
Copy link
Author

Thanks @mluis1 . Since I'm using the STM32CubeWL firmware, this patch doesn't easily apply for me. I think the changes you made look right.

@mluis1
Copy link
Contributor

mluis1 commented Jun 21, 2022

Thanks for the feedback.

We will push the patch as soon as possible.

mluis1 added a commit that referenced this issue Jul 19, 2022
@mluis1
Issue #1275 - Added a check for GroupId in order to avoid out of boun…
2fdce5f 
…ds access

- Refactored the way the debug messages are handled
@mluis1 mluis1 closed this as completed Jul 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
Release Version 4.7.0
Development

No branches or pull requests
3 participants
@gregbreen @mluis1 @MarekNovakACRIOS