memory access out of range in MbedOS CoAP library builder part #11804
Description
Description of defect
Reference: https://github.com/ARMmbed/mbed-os/tree/master/features/frameworks/mbed-coap
Function: sn_coap_builder_calc_needed_packet_data_size_2
Type: Integer overflow
The CoAP builder is responsible for crafting outgoing CoAP messages. The function sn_coap_builder_calc_needed_packet_data_size_2() is used to calculate the needed memory for the CoAP message from the sn_coap_hdr_s data structure. Both returned_byte_count and src_coap_msg_ptr->payload_len are of type uint16_t. When added together, the result returned_byte_count will wrap around the maximum as shown in line 4. As a result, insufficient buffer is allocated for the corresponding CoAP message.
uint16_t sn_coap_builder_calc_needed_packet_data_size_2(const sn_coap_hdr_s *src_coap_msg_ptr, ...)
{
...
returned_byte_count += src_coap_msg_ptr->payload_len;
...
}
When the data in the sn_coap_hdr_s is copied into the allocated buffer, out-of-bound memory access will happen (line 4).
```c
static int16_t sn_coap_builder_options_build_add_one_option(..., uint16_t option_len, const uint8_t *option_ptr, ...)
{
...
memcpy(dest_packet, option_ptr, option_len);
...
}In the following, we list other locations which will cause out-of-bound memory accesses rooted in this vulnerability.
Result: Memory corruption.
Target(s) affected by this defect ?
MbedOS CoAP library
Toolchain(s) (name and version) displaying this defect ?
N/A
What version of Mbed-os are you using (tag or sha) ?
MbedOS 5.13.2
What version(s) of tools are you using. List all that apply (E.g. mbed-cli)
mbed-cli latest version
How is this defect reproduced ?
N/A