Prevent Out-Of-Bound (OOB) Read Vulnerability in Camera Legacy Pairing Protocol.

emargolis · robszewczyk · commit 04455175449a · 2019-08-19T10:08:22.000-07:00
Within the DropcamLegacyPairingServer::HandleCameraAuthDataRequest() method: -- Added check that the length of the nonce string encoded in the CameraAuthDataRequest message is 64 bytes. -- Added check that the TLV encoding for CameraAuthDataRequest contains no additional fields other than the nonce string. This change addresses CVE security vulnerability: CVE-2019-5034
diff --git a/src/lib/profiles/vendor/nestlabs/dropcam-legacy-pairing/DropcamLegacyPairing.cpp b/src/lib/profiles/vendor/nestlabs/dropcam-legacy-pairing/DropcamLegacyPairing.cpp
@@ -374,6 +374,7 @@ WEAVE_ERROR DropcamLegacyPairingServer::HandleCameraAuthDataRequest(ExchangeCont
     uint8_t macAddress[EUI48_LEN];
     uint8_t secret[CAMERA_SECRET_LEN];
     const uint8_t *noncePtr;
+    uint32_t nonceLen;
     TLVReader reader;
     TLVWriter writer;
 
@@ -391,6 +392,12 @@ WEAVE_ERROR DropcamLegacyPairingServer::HandleCameraAuthDataRequest(ExchangeCont
     err = reader.GetDataPtr(noncePtr);
     SuccessOrExit(err);
 
+    nonceLen = reader.GetLength();
+    VerifyOrExit(nonceLen == CAMERA_NONCE_LEN, err = WEAVE_ERROR_INVALID_ARGUMENT);
+
+    err = reader.Next();
+    VerifyOrExit(err == WEAVE_END_OF_TLV, err = WEAVE_ERROR_UNEXPECTED_TLV_ELEMENT);
+
     // Get camera MAC address
     err = mDelegate->GetCameraMACAddress(macAddress);
     SuccessOrExit(err);
