Description
sdls_frame.hdr.pkt_length is not updated properly in Crypto_Process_Extended_Procedure_Pdu in file crypto.c:1226 affecting the error handling in Crypto_Key_Update in crypto_key_mgmt.c:260
Configuration: Default
Patch
diff --color -crB CryptoLib/src/core/crypto.c CryptoLib_patched/src/core/crypto.c
*** CryptoLib/src/core/crypto.c Fri Jan 30 13:24:58 2026
--- CryptoLib_patched/src/core/crypto.c Fri Jan 30 13:24:38 2026
***************
*** 1225,1230 ****
--- 1225,1232 ----
sdls_frame.tlv_pdu.hdr.pid = (tc_sdls_processed_frame->tc_pdu[0] & 0x0F);
sdls_frame.tlv_pdu.hdr.pdu_len =
(tc_sdls_processed_frame->tc_pdu[1] << 8) | tc_sdls_processed_frame->tc_pdu[2];
+ sdls_frame.hdr.pkt_length =
+ (tc_sdls_processed_frame->tc_pdu[4] << 8) | tc_sdls_processed_frame->tc_pdu[5];
for (int x = 3; x < (3 + tc_sdls_processed_frame->tc_header.fl); x++)
{
// Todo - Consider how this behaves with large OTAR PDUs that are larger than 1 TC in size. Most
***************
*** 1655,1658 ****
return CRYPTO_LIB_ERROR;
}
return CRYPTO_LIB_SUCCESS;
! }
\ No newline at end of file
--- 1657,1660 ----
return CRYPTO_LIB_ERROR;
}
return CRYPTO_LIB_SUCCESS;
! }
Branch Name
dev
Reproduction steps
1. Go to './src/sa/internal/sa_interface_inmemory.template.c' and in the initializer set SA 0 to OPERATIONAL
2. Create a simple main to pass a packet from a binary packet to the TC Process Security function
3. Use the packet as in the hexdump below and see the results of the DEBUG logs
DEBUG LOGS
Key Activate
PDU Length Exceded!
MC_Log: Error, [2026130,12:58:11], -1
Response: Status: -1
##### PoC Hex Dump
002c 100e 0000 0000 0200 0200 82a7 30
OS
Linux
Description
sdls_frame.hdr.pkt_lengthis not updated properly inCrypto_Process_Extended_Procedure_Pduin filecrypto.c:1226affecting the error handling inCrypto_Key_Updateincrypto_key_mgmt.c:260Configuration: Default
Patch
Branch Name
dev
Reproduction steps
OS
Linux