CVE-2020-17440

Name of the Vulnerable Software and Affected Versions uIP version 1.0 Contiki version 3.0

Description The issue arises from the code that parses incoming DNS packets not validating the presence of '0' termination in domain names within DNS responses. This leads to errors in calculating the offset of the pointer that jumps over domain name bytes in DNS response packets when a name lacks this termination. As a result, it eventually leads to dereferencing the pointer at an invalid or arbitrary address within the newdata() and parse name() functions in resolv.c.

Recommendations For uIP version 1.0, consider modifying the code to validate the presence of '0' termination in domain names within DNS responses to prevent errors in pointer calculation. For Contiki version 3.0, as a temporary workaround, consider restricting the use of the newdata() and parse name() functions in resolv.c until a patch is available.