Skip to content

dtls.c: fix length check in check_server_certificate.#267

Merged
boaks merged 1 commit intomainfrom
fix_length_check_server_cert
Mar 18, 2026
Merged

dtls.c: fix length check in check_server_certificate.#267
boaks merged 1 commit intomainfrom
fix_length_check_server_cert

Conversation

@boaks
Copy link
Copy Markdown
Contributor

@boaks boaks commented Mar 17, 2026

Fixes potential out-of-bounds read.

@boaks
Copy link
Copy Markdown
Contributor Author

boaks commented Mar 17, 2026

@obgm

Please a fast LGTM, thanks!

obgm
obgm reviewed Mar 17, 2026
View reviewed changes
dtls.c Outdated

data += DTLS_HS_LENGTH;

if (data_length < DTLS_HS_LENGTH + DTLS_EC_SUBJECTPUBLICKEY_SIZE + sizeof(uint24)) {
Copy link
Copy Markdown
Contributor

@obgm obgm Mar 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good in general but I think this check should come before doing the update_hs_hash in line 3433 .

Otherwise, LGTM.

Copy link
Copy Markdown
Contributor Author

@boaks boaks Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done.

@boaks
dtls.c: fix length check in check_server_certificate.
3894c78 
Fixes potential out-of-bounds read.

Signed-off-by: Achim Kraus <achim.kraus@cloudcoap.net>
@boaks boaks force-pushed the fix_length_check_server_cert branch from 612e9f7 to 3894c78 Compare March 18, 2026 06:35
@boaks boaks merged commit b3efd41 into main Mar 18, 2026
9 checks passed
@wsparks-vc
Copy link
Copy Markdown

wsparks-vc commented Apr 2, 2026

Hello @boaks and @obgm - does the Eclipse Foundation CNA intend to assign a CVE for the reported vulnerability?

@boaks
Copy link
Copy Markdown
Contributor Author

boaks commented Apr 3, 2026

From the team's (obgm an me) view, tinydtls is in development stage. We have no 1.0 release.
I personally don't know, if we find enough "volunteer time", at least I'm not longer able to spend that larger amount of time.
Therefor we also decided two years ago, just to fix vulnerabilities (if possible with the time we#re able to spend), but don't go for CVE reporting. It's just really a question of work-time.

@wsparks-vc
Copy link
Copy Markdown

wsparks-vc commented Apr 7, 2026

It's standard practice in vuln management to issue CVEs to public patches, rather than waiting for an official release. Through managing the VulnCheck CVE Numbering Authoring (CNA), I usually work with maintainers to allow for official version releases to be put together prior to CVE publication. Since the Eclipse Foundation would, presumably, be the CNA with appropriate first-level scope, we'd like to push for CVE issuance ASAP.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@obgm obgm obgm left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@boaks @wsparks-vc @obgm