GnuTLS Heap Buffer Overflow Vulnerability in DTLS Handshake Fragment Reassembly

A heap buffer overflow vulnerability has been identified in GnuTLS within the DTLS handshake fragment reassembly process. The issue occurs in the 'merge_handshake_packet()' function, where incoming handshake fragments are combined based solely on handshake type. This approach fails to ensure that the 'message_length' field remains consistent across all fragments of the same logical message. An attacker can exploit this vulnerability by sending crafted DTLS fragments with conflicting 'message_length' values. This manipulation causes the implementation to allocate a buffer based on a smaller initial fragment, which is then overwritten using larger, inconsistent fragments. The lack of proper bounds checking during the merging process leads to an out-of-bounds write on the heap. This vulnerability is remotely exploitable without authentication, via the DTLS handshake, and can result in application crashes or potential memory corruption.

Impact

Exploitation of this vulnerability causes a heap buffer overflow, leading to memory corruption and application crashes. Such memory corruption vulnerabilities can often be exploited to execute arbitrary code.