Summary by Excal1bur
An integer overflow in NASA ION-DTN's startImportSession() causes a heap buffer to be allocated with a drastically undersized value (16 bytes instead of ~4 GB), leading to a heap buffer overflow WRITE of 84 bytes when a subsequent data segment is processed. An unauthenticated attacker with UDP access to the ION-DTN LTP port (default 1113) can trigger this with two crafted packets.
Affected Components
| # | File | Line | CWE |
|---|---|---|---|
| 1 | ltp/library/libltpP.c |
5781 | CWE-190 (Integer Overflow) |
| 2 | ici/library/ion.c |
1737 | CWE-197 (Numeric Truncation Error) |
Issue 1 — Integer Overflow → Heap Buffer Overflow (libltpP.c:5781)
Root Cause
uvast blockSize = pdu->offset + pdu->length;
// Both fields are uint32 — wraps before widening to uint64
// offset=0xFFFFFFF0 + length=0x00000020 = 0x10 (16) instead of ~4GB
Proof of Concept
Packet 1 — LTP Red EOB (UDP :1113):
offset=0xFFFFFFF0, length=0x00000020
→ blockSize = 16 (integer overflow)
→ importBuffer = sdr_malloc(sdr, 16)
Packet 2 — Normal LTP data segment:
offset=0, length=100
→ sdr_write(heapBufferObj + 16, data, 84) ← OOB WRITE
ASAN Output
ERROR: AddressSanitizer: heap-buffer-overflow
WRITE of size 84 at 0x6e3562be0020
#1 simulate_startImportSession harness_ion_dtn_ltp_overflow.c:161
0x6e3562be0020 is located 0 bytes after 16-byte region
Fix Applied
uvast blockSize = (uvast)pdu->offset + (uvast)pdu->length;
Issue 2 — SDNV Integer Truncation (ion.c:1737)
Root Cause
*into = val; /* Truncate. */
// val=uvast (uint64_t), *into=uint32_t — no bounds check
// 0x100000001 → *into = 1, 4GB silently lost
Fix Applied
if (val > UINT_MAX) {
writeMemoNote("[?] SDNV value exceeds uint32", NULL);
return 0;
}
*into = (unsigned int)val;
Impact
ION-DTN has been operational on the International Space Station since 2016 and is the reference DTN implementation used by NASA JPL and ESA OPS-SAT. On flight hardware without ASLR/DEP (VxWorks, RTEMS), a controlled heap overflow reachable via unauthenticated UDP could allow arbitrary code execution through the ground-to-spacecraft link.
The attacker requires UDP access to the LTP port — achievable from a compromised ground station, a co-located experiment on the ISS network, or a mission integration/test environment.