libcoap Use-After-Free Vulnerability in coap_delete_pdu_lkd Function Allows Memory Corruption and Arbitrary Code Execution

A use-after-free vulnerability has been identified in the libcoap library, specifically in version 4.3.5. The issue arises in the coap_delete_pdu_lkd function within coap_pdu.c, where improper memory management after freeing a Protocol Data Unit (PDU) object can lead to memory corruption or the execution of arbitrary code. This vulnerability was discovered during fuzz testing with libFuzzer, which revealed that the coap_pdu object management functions mishandled memory, creating a dangling pointer to freed memory. Exploitation involves passing specially crafted input to the fuzzing function, triggering the use-after-free condition when a PDU object is deleted.

Impact

Exploitation of this vulnerability can result in memory corruption and allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by using the libcoap library version 4.3.5 and applying fuzz testing with libFuzzer. This process involves creating inputs that exploit the improper memory handling in the PDU object management, specifically targeting the coap_delete_pdu_lkd function. The AddressSanitizer can be used to detect the heap-use-after-free error, confirming the vulnerability.