OISM libcoap Array Index Error in DTLS Handshake Leading to Denial-of-Service

An array index error has been identified in OISM libcoap version 4.3.5, specifically within the tls_verify_call_back() function in src/coap_openssl.c. This vulnerability allows remote attackers to cause a denial-of-service by crafting a DTLS handshake that causes SSL_get_ex_data_X509_STORE_CTX_idx() to return -1. The issue arises from improper handling of OpenSSL's return values during certificate verification, leading to a null pointer dereference.

Impact

Exploitation of this vulnerability causes a segmentation fault, terminating the application. This behavior is indicative of a null pointer dereference, where the program attempts to read memory at an invalid address, causing a crash.

Reproduction

The vulnerability can be reproduced by sending a DTLS handshake that is crafted to trigger the issue. This can be done using the libcoap client example, which will initiate a DTLS connection and cause the null pointer dereference when the handshake is processed.

Remediation

Users can update to the latest version of OISM libcoap, where this issue has been fixed. Instructions for updating can be found in the libcoap documentation.