CVE-2023-51391
An invalid pointer dereference vulnerability exists in the HTTP server header parsing functionality of Silicon Labs Gecko Platform 4.3.2.0. A specially crafted network packet can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability.
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
Silicon Labs Gecko Platform 4.3.2.0
Gecko Platform - https://www.silabs.com/developers/gecko-software-development-kit
7.5 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE-690 - Unchecked Return Value to NULL Pointer Dereference
The Gecko Platform is a portion of the components within Gecko SDK which includes Micrium OS. A network stack is included within Micrium OS which supports TCP/IP with ipv4 and ipv6 and implementations for popular application protocols.
This invalid pointer dereference occurs when parsing header values of an HTTP request. The call to Str_Char_N at [1] will fail and return NULL if no colon : character is found between the header key value and the next occurrence of crlf \r\n. The return value is not checked before the pointer is incremented, which results in the pointer p_val having a value of 1. Next, that pointer is dereferenced in the function HTTP_StrGraphSrchFirst which results in a crash.
File: http_server_req.c
1807: static CPU_CHAR *HTTPsReq_HdrParseValGet(CPU_CHAR *p_field,
1808: CPU_INT16U field_len,
1809: CPU_CHAR *p_field_end,
1810: CPU_INT16U *p_len_rem)
1811: {
1812: CPU_INT16U len;
1813: CPU_CHAR *p_val;
1814:
1815: p_val = p_field + field_len;
1816: len = (p_field_end - p_val);
1817:
1818: p_val = Str_Char_N(p_val, len, ASCII_CHAR_COLON); // Field val located after ':' (see Note #1a). [1]
1819: p_val++;
1820:
1821: len = (p_field_end - p_val);
1822: p_val = HTTP_StrGraphSrchFirst(p_val, len); // Remove blank space before field value.
1823:
1824: *p_len_rem = (p_field_end - p_val);
1825:
1826: return (p_val);
1827: }
If this library is used on a system where 1 is addressable and contains data, this vulnerability could lead to further memory corruption. In this case, when HTTPsReq_HdrParseValGet returns the returned pointer p_val would point to an address that is out of bounds of the original buffer of p_field that was passed to this function.
Program received signal SIGSEGV, Segmentation fault.
0x565695f5 in HTTP_StrGraphSrchFirst (p_str=0x1 <error: Cannot access memory at address 0x1>, str_len=39239)
at gecko_sdk/platform/micrium_os/net/source/http/http.c:157
157 while ((ASCII_IS_GRAPH(*p_char) == DEF_NO)
(gdb) bt
#0 0x565695f5 in HTTP_StrGraphSrchFirst (p_str=0x1 <error: Cannot access memory at address 0x1>, str_len=39239)
at gecko_sdk/platform/micrium_os/net/source/http/http.c:157
#1 0x5655fda7 in HTTPsReq_HdrParseValGet (
p_field=0x56579944 <Mem_Heap+1764> "Host\r\nUser-Agent: Cisco Talos\r\n\r\n", field_len=4,
p_field_end=0x56579948 <Mem_Heap+1768> "\r\nUser-Agent: Cisco Talos\r\n\r\n", p_len_rem=0xffffd0a6)
at gecko_sdk/platform/micrium_os/net/source/http/server/http_server_req.c:1822
#2 0x5655fa2e in HTTPsReq_HdrParse (p_instance=0x56579284 <Mem_Heap+36>, p_conn=0x5657986c <Mem_Heap+1548>,
p_err=0xffffd12c) at gecko_sdk/platform/micrium_os/net/source/http/server/http_server_req.c:1639
#3 0x5655e49d in HTTPsReq_Handler (p_instance=0x56579284 <Mem_Heap+36>, p_conn=0x5657986c <Mem_Heap+1548>)
at gecko_sdk/platform/micrium_os/net/source/http/server/http_server_req.c:320
#4 0x565642c3 in HTTPsConn_Process (p_instance=0x56579284 <Mem_Heap+36>)
at gecko_sdk/platform/micrium_os/net/source/http/server/http_server_conn.c:137
#5 0x565664d7 in HTTPsTask_InstanceTaskHandler (p_instance=0x56579284 <Mem_Heap+36>)
at gecko_sdk/platform/micrium_os/net/source/http/server/http_server_task.c:570
#6 0x56566236 in HTTPsTask_InstanceTask (p_data=0x56579284 <Mem_Heap+36>)
at gecko_sdk/platform/micrium_os/net/source/http/server/http_server_task.c:440
#7 0x5656ad1a in KAL_TaskCreate (task_handle=..., p_fnct=0x56566211 <HTTPsTask_InstanceTask>,
p_task_arg=0x56579284 <Mem_Heap+36>, prio=21 '\025', p_cfg=0x0, p_err=0xffffd2cc)
at uc-shims/Source/kal-shim.c:75
#8 0x56565f61 in HTTPsTask_InstanceTaskCreate (p_instance=0x56579284 <Mem_Heap+36>, p_err=0xffffd2cc)
at gecko_sdk/platform/micrium_os/net/source/http/server/http_server_task.c:235
#9 0x565637b7 in HTTPs_InstanceStart (p_instance=0x56579284 <Mem_Heap+36>, p_err=0xffffd2cc)
at gecko_sdk/platform/micrium_os/net/source/http/server/http_server.c:671
#10 0x5656bd02 in HTTP_ServerBasicInit () at server_app.c:339
#11 0x5656bef4 in main (argc=1, argv=0xffffd3d4) at server_app.c:421
(gdb) i r
eax 0x1 1
ecx 0x8 8
edx 0x4 4
ebx 0x56578fac 1448578988
esp 0xffffd028 0xffffd028
ebp 0xffffd038 0xffffd038
esi 0xf7fb1000 -134541312
edi 0xf7fb1000 -134541312
eip 0x565695f5 0x565695f5 <HTTP_StrGraphSrchFirst+45>
eflags 0x10206 [ PF IF RF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x63 99
The vendor released a fixed version at: https://github.com/SiliconLabs/gecko_sdk/releases/tag/v4.4.2
2024-02-20 - Vendor Disclosure
2024-04-11 - Vendor Patch Release
2024-04-18 - Public Release
Discovered by Kelly Patterson of Cisco Talos.