Menu

#346 UDP MD: In case of wrong data length (too big) in the header the package won't be released

2.1.0.0
closed
Bernd Löhr
None
2021-08-11
2020-10-15
Stefan P
No

If an MD package will be received and a wrong data length in the header field (caused by the sending application) is sent, which is too big for the memory, the actual message will not be released from the receiver buffer. This could happen e.g. through a manipulated message and will block the communication. e.g. MD package with actual data length 64Byte, but in the header 64000 Byte is entered.

At trdp_mdcom.c line 1371 the header of the package is read but not released through the peek=true parameter.

If a bigger buffer is needed but cannot be allocated (especially through limitations of embedded devices) the function returns TRDP_MEM_ERR, but skips the release of the whole UDP package with "vos_sockReceiveUDP()" afterwards. Unfortunately this package is never released wich blocks all other messages (dependent of the receive buffer)

See trdp_mdcom.c line 1371ff (especially 1391f where the "pBigData" should be allocated): 

err = (TRDP_ERR_T) vos_sockReceiveUDP(mdSock,
                                          (UINT8 *)pElement->pPacket,
                                          &size,
                                          &pElement->addr.srcIpAddr,
                                          &pElement->replyPort,
                                          &pElement->addr.destIpAddr,
                                          TRUE);

    /* does the announced data fit into our (small) allocated buffer?   */
    if ( err == TRDP_NO_ERR )
    {
        if ((size == sizeof(MD_HEADER_T))
            && (trdp_mdCheck(appHandle, &pElement->pPacket->frameHead, size, CHECK_HEADER_ONLY) == TRDP_NO_ERR))
        {
            pElement->dataSize  = vos_ntohl(pElement->pPacket->frameHead.datasetLength);
            pElement->grossSize = trdp_packetSizeMD(pElement->dataSize);

            if ( trdp_packetSizeMD(pElement->dataSize) > cMinimumMDSize )
            {
               /* we have to allocate a bigger buffer */
                MD_PACKET_T *pBigData = (MD_PACKET_T *) vos_memAlloc(trdp_packetSizeMD(pElement->dataSize));
                if ( pBigData == NULL )
                {
                    return TRDP_MEM_ERR;
                }
                /*  Swap the pointers ...  */
                vos_memFree(pElement->pPacket);
                pElement->pPacket   = pBigData;
                pElement->grossSize = trdp_packetSizeMD(pElement->dataSize);
            }

            /*  get the complete packet */
            size    = pElement->grossSize;
            err     = (TRDP_ERR_T) vos_sockReceiveUDP(mdSock,
                                                      (UINT8 *)pElement->pPacket,
                                                      &size,
                                                      &pElement->addr.srcIpAddr,
                                                      &pElement->replyPort,
                                                      &pElement->addr.destIpAddr,
                                                      FALSE);

Discussion

  • Bernd Löhr

    Bernd Löhr - 2020-11-03
    • status: open --> accepted
    • assigned_to: Bernd Löhr
     

  • Bernd Löhr

    Bernd Löhr - 2020-11-03
    • status: accepted --> pending
     

  • Bernd Löhr

    Bernd Löhr - 2020-11-03

    Solution: Flushing the UDP buffers before returning mem_err.
    Note: This could always happen if there was not sufficient storage available for a message - despite of the wrong package header size value .

     

  • Stefan Bender

    Stefan Bender - 2021-08-11
    • status: pending --> closed
     

  • Stefan Bender

    Stefan Bender - 2021-08-11

    Tested in mdDataLengthTest.c

     

Log in to post a comment.

MongoDB Logo MongoDB