New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
memory acess out of range in MbedOS CoAP library parser part #11803
Labels
Comments
|
@TheSilentDawn Could you please update the title of your issues to actually describe what the bug is rather than just 'bug 1' etc? Thanks |
|
@adbridge No problem. |
|
Internal Jira reference: https://jira.arm.com/browse/MBOTRIAGE-2329 |
|
Thank you for this error report, this will be fixed in an upcoming release. |
|
Thanks @TheSilentDawn This issue was fixed as part of Mbed OS 5.15.1 release. Closing as fixed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description of defect
Reference: https://github.com/ARMmbed/mbed-os/tree/master/features/frameworks/mbed-coap
Function: sn_coap_parser_options_parse
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Line 301 in d91ed5f
Type: Buffer overflow
The CoAP parser is responsible for parsing received CoAP packets. The function sn_coap_parser_options_parse() parses CoAP input linearly using a while loop. Once an option is parsed in a loop, the current point (*packet_data_pptr) is increased correspondingly. The pointer is restricted by the size of the received buffer, as well as a delimiter byte 0xFF, as shown in line 4 of the code snippet below.
Unfortunately, inside each while loop, the check of the value of packet_data_pptr is not strictly enforced. More specifically, inside a loop, packet_data_pptr could be increased and then dereferenced without checking. Moreover, there are many other functions in the format of sn_coap_parser_**() that do not check whether the pointer is within the bound of the allocated buffer. All of these lead to heap or stack buffer overflow, depending on how the CoAP packet buffer is allocated.
In the following, we list other locations which cause out-of-bound memory accesses rooted in this vulnerability.
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Line 660 in d91ed5f
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Line 331 in d91ed5f
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Line 257 in d91ed5f
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Line 310 in d91ed5f
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Line 313 in d91ed5f
mbed-os/features/frameworks/mbed-coap/source/sn_coap_protocol.c
Line 2488 in d0686fd
Result: Memory corruption.
Target(s) affected by this defect ?
MbedOS CoAP library
Toolchain(s) (name and version) displaying this defect ?
N/A
What version of Mbed-os are you using (tag or sha) ?
MbedOS 5.13.2
What version(s) of tools are you using. List all that apply (E.g. mbed-cli)
mbed-cli latest version
How is this defect reproduced ?
Using bug_coap_1_1, bug_coap_1_2, bug_coap_1_3, bug_coap_1_4, bug_coap_1_5 and bug_coap_1_6 as input of demo codes below, previous crash examples in sn_coap_parser.c will be triggered.
bug_coap_1_1.log
bug_coap_1_2.log
bug_coap_1_3.log
bug_coap_1_4.log
bug_coap_1_5.log
bug_coap_1_6.log
The text was updated successfully, but these errors were encountered: