fix(protocomm): add validation for Security1 client verifier data

Add checks to validate client_verify_data pointer and length before processing in handle_session_command1. Prevents NULL pointer dereference when client omits verifier data in Session_Command1, which could cause device crash during provisioning (remote DoS attack). We would like to thank Pavel Kohout from Aisle Research for reporting this vulnerability along with a mitigation strategy.
2025-11-20 14:22:40 +05:30
parent 871ec2c1ef
commit a5601fbf0d
1 changed files with 16 additions and 1 deletions
@@ -1,5 +1,5 @@
 /*
- * SPDX-FileCopyrightText: 2018-2022 Espressif Systems (Shanghai) CO LTD
+ * SPDX-FileCopyrightText: 2018-2025 Espressif Systems (Shanghai) CO LTD
 *
 * SPDX-License-Identifier: Apache-2.0
 */
@@ -101,6 +101,21 @@ static esp_err_t handle_session_command1(session_t *cur_session,
        return ESP_ERR_INVALID_STATE;
    }

+    /* Validate client verifier data before processing */
+    if (!in || !in->sc1 ||
+        in->sc1->client_verify_data.data == NULL ||
+        in->sc1->client_verify_data.len != PUBLIC_KEY_LEN) {
+        ESP_LOGE(TAG, "Invalid client verifier (ptr=%p len=%d)",
+                 (void *) (in && in->sc1 ? in->sc1->client_verify_data.data : NULL),
+                 (int) (in && in->sc1 ? in->sc1->client_verify_data.len : -1));
+        if (esp_event_post(PROTOCOMM_SECURITY_SESSION_EVENT,
+                          PROTOCOMM_SECURITY_SESSION_INVALID_SECURITY_PARAMS,
+                          NULL, 0, portMAX_DELAY) != ESP_OK) {
+            ESP_LOGE(TAG, "Failed to post invalid security params event");
+        }
+        return ESP_ERR_INVALID_ARG;
+    }
+
    /* Initialize crypto context */
    mbedtls_aes_init(&cur_session->ctx_aes);
    memset(cur_session->stb, 0, sizeof(cur_session->stb));