Headline
CVE-2023-40998: [RIC-989] RMR: Negative Packet Size Causes Crash
Buffer Overflow vulnerability in O-RAN Software Community ric-plt-lib-rmr v.4.9.0 allows a remote attacker to cause a denial of service via the packet size component.
Hello,
I would like to report an issue related to the packet size in the rmr library (ric-plt-lib-rmr).
When processing received packets, the library decodes the first 4 bytes as the packet size.
However, if the decoding result is a negative value, it leads to a subsequent core dump during the memcpy operation.
Through xApp, we can send packets of this nature to services that utilize this RMR library, leading to the disruption of the services.
This problem can be found in components that utilize the RMR library. For example, in the e2term, when receiving a packet with a decoded negative packet size on port 4561, it triggers this crash.
I have attached images of the packets that led to the crash and the decoded packets.