LibOSDP vulnerable to a null pointer deref in osdp_reply_name
Denial of Service
Denial of Service
Issue: At ospd_common.c, on the osdp_reply_name function, any reply id between REPLY_ACK and REPLY_XRD is valid, but names array do not declare all of the range. On a case of an undefined reply id within the range, name will be null (name = names[reply_id - REPLY_ACK];). Null name will casue a crash on next line: if (name[0] == '\0') as null[0] is invalid. Attack: As this logic is not limited …
Issues: SCS_14 is allowed on encrypted connection (osdp_phy.c) No validation for RMAC_I is only in response to osdp_SCRYPT (osdp_cp.c) Couldn't find anything specific in the OSDP specifications indicating it is forbidden, I'm gussing it shouldn't be allowed according from the secure connection initialization flow (let me know if you think there is spec-rela ted change that should be done) Attack: Once RMAC_I message can be sent during a session, attacker …
Issues: SCS_14 is allowed on encrypted connection (osdp_phy.c) No validation for RMAC_I is only in response to osdp_SCRYPT (osdp_cp.c) Couldn't find anything specific in the OSDP specifications indicating it is forbidden, I'm gussing it shouldn't be allowed according from the secure connection initialization flow (let me know if you think there is spec-rela ted change that should be done) Attack: Once RMAC_I message can be sent during a session, attacker …