OISM libcoap NULL Pointer Dereference Vulnerability in DTLS Handshake

A NULL pointer dereference vulnerability has been identified in OISM libcoap version 4.3.5. This issue arises in the function coap_dtls_generate_cookie() within the file src/coap_openssl.c. The vulnerability allows remote attackers to cause a denial-of-service condition by crafting a DTLS handshake that leads to SSL_get_SSL_CTX() returning NULL. The improper handling of this NULL return value during DTLS cookie generation causes libcoap to pass a null pointer to SSL_CTX_get_app_data(), which then attempts to access application data using a NULL SSL_CTX pointer, resulting in a segmentation fault.

Impact

Exploitation of this vulnerability causes a segmentation fault, leading to a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by sending a DTLS handshake that triggers SSL_get_SSL_CTX() to return NULL. This can be done using a DTLS client that crafts a handshake message causing the OpenSSL library to return a NULL context, which libcoap does not properly check before proceeding with cookie generation.

Remediation

Users can update to the latest version of OISM libcoap, where this vulnerability has been addressed.