Skip to content

memory access out of range in MbedOS CoAP library builder part #11804

@TheSilentDawn

Description

@TheSilentDawn

Description of defect

Reference: https://github.com/ARMmbed/mbed-os/tree/master/features/frameworks/mbed-coap
Function: sn_coap_builder_calc_needed_packet_data_size_2

returned_byte_count += src_coap_msg_ptr->payload_len;

Type: Integer overflow
The CoAP builder is responsible for crafting outgoing CoAP messages. The function sn_coap_builder_calc_needed_packet_data_size_2() is used to calculate the needed memory for the CoAP message from the sn_coap_hdr_s data structure. Both returned_byte_count and src_coap_msg_ptr->payload_len are of type uint16_t. When added together, the result returned_byte_count will wrap around the maximum as shown in line 4. As a result, insufficient buffer is allocated for the corresponding CoAP message.

uint16_t sn_coap_builder_calc_needed_packet_data_size_2(const sn_coap_hdr_s *src_coap_msg_ptr, ...)
{
...
       returned_byte_count += src_coap_msg_ptr->payload_len;
...
}
When the data in the sn_coap_hdr_s is copied into the allocated buffer, out-of-bound memory access will happen (line 4).
```c
static int16_t sn_coap_builder_options_build_add_one_option(..., uint16_t option_len, const uint8_t *option_ptr, ...)
{
...
    	memcpy(dest_packet, option_ptr, option_len);
...
}

In the following, we list other locations which will cause out-of-bound memory accesses rooted in this vulnerability.

**dst_packet_data_pptr = 0xff;

dest_packet[0] = first_byte + (option_delta << 4);

dest_packet[1] = src_coap_msg_ptr->msg_code;

dest_packet[2] = (uint8_t)(src_coap_msg_ptr->msg_id >> COAP_HEADER_MSG_ID_MSB_SHIFT); /* MSB part */

dest_packet[3] = (uint8_t)src_coap_msg_ptr->msg_id; /* LSB part */

dest_packet[1] = (uint8_t)option_delta;

memcpy(dest_packet, option_ptr, option_len);

Result: Memory corruption.

Target(s) affected by this defect ?

MbedOS CoAP library

Toolchain(s) (name and version) displaying this defect ?

N/A

What version of Mbed-os are you using (tag or sha) ?

MbedOS 5.13.2

What version(s) of tools are you using. List all that apply (E.g. mbed-cli)

mbed-cli latest version

How is this defect reproduced ?

N/A

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions