Golioth Firmware SDK Stack-Based Buffer Overflow Vulnerability in Payload Utils

A stack-based buffer overflow vulnerability has been identified in the Golioth Firmware SDK, specifically in versions 0.10.0 prior to 0.22.0. This vulnerability resides within the Payload Utils component, where the functions golioth_payload_as_int() and golioth_payload_as_float() improperly handle network-supplied payload data. These functions use memcpy() to copy data into fixed-size stack buffers, but the length of the data copied can be unbounded, as the only length checks are enforced by assert() statements that are removed in release builds. As a result, payloads exceeding 12 bytes for integers or 32 bytes for floats can overflow the stack, leading to crashes and denial-of-service conditions. This vulnerability can be exploited through the LightDB State on_payload feature, by sending malicious payloads from a server or via a man-in-the-middle attack.

Impact

Exploitation of this vulnerability causes a stack-based buffer overflow, leading to a crash and denial-of-service condition.

Reproduction

The vulnerability can be reproduced by using a version of the Golioth Firmware SDK that is affected (0.10.0 prior to 0.22.0) and sending a payload larger than 12 bytes (for integer conversion) or 32 bytes (for float conversion) through the LightDB State on_payload feature. This can be done by setting up a malicious server that sends oversized payloads or by intercepting and modifying the payloads sent to the LightDB State.

Remediation

Users can upgrade to Golioth Firmware SDK version 0.22.0 or later, where this vulnerability has been fixed.