-
Notifications
You must be signed in to change notification settings - Fork 3k
Closed
Labels
Description
Description of defect
Reference: https://github.com/ARMmbed/mbed-os/tree/master/features/frameworks/mbed-coap
Function: sn_coap_builder_calc_needed_packet_data_size_2
returned_byte_count += src_coap_msg_ptr->payload_len; |
Type: Integer overflow
The CoAP builder is responsible for crafting outgoing CoAP messages. The function sn_coap_builder_calc_needed_packet_data_size_2() is used to calculate the needed memory for the CoAP message from the sn_coap_hdr_s data structure. Both returned_byte_count and src_coap_msg_ptr->payload_len are of type uint16_t. When added together, the result returned_byte_count will wrap around the maximum as shown in line 4. As a result, insufficient buffer is allocated for the corresponding CoAP message.
uint16_t sn_coap_builder_calc_needed_packet_data_size_2(const sn_coap_hdr_s *src_coap_msg_ptr, ...)
{
...
returned_byte_count += src_coap_msg_ptr->payload_len;
...
}
When the data in the sn_coap_hdr_s is copied into the allocated buffer, out-of-bound memory access will happen (line 4).
```c
static int16_t sn_coap_builder_options_build_add_one_option(..., uint16_t option_len, const uint8_t *option_ptr, ...)
{
...
memcpy(dest_packet, option_ptr, option_len);
...
}
In the following, we list other locations which will cause out-of-bound memory accesses rooted in this vulnerability.
**dst_packet_data_pptr = 0xff; |
dest_packet[0] = first_byte + (option_delta << 4); |
dest_packet[1] = src_coap_msg_ptr->msg_code; |
dest_packet[2] = (uint8_t)(src_coap_msg_ptr->msg_id >> COAP_HEADER_MSG_ID_MSB_SHIFT); /* MSB part */ |
dest_packet[3] = (uint8_t)src_coap_msg_ptr->msg_id; /* LSB part */ |
dest_packet[1] = (uint8_t)option_delta; |
memcpy(dest_packet, option_ptr, option_len); |
Result: Memory corruption.
Target(s) affected by this defect ?
MbedOS CoAP library
Toolchain(s) (name and version) displaying this defect ?
N/A
What version of Mbed-os are you using (tag or sha) ?
MbedOS 5.13.2
What version(s) of tools are you using. List all that apply (E.g. mbed-cli)
mbed-cli latest version
How is this defect reproduced ?
N/A