memory access out of range in MbedOS CoAP library builder part

[TheSilentDawn]

Description of defect

Reference: https://github.com/ARMmbed/mbed-os/tree/master/features/frameworks/mbed-coap
Function: sn_coap_builder_calc_needed_packet_data_size_2

mbed-os/features/frameworks/mbed-coap/source/sn_coap_builder.c

Line 355 in d0686fd

returned_byte_count += src_coap_msg_ptr->payload_len;

Type: Integer overflow
The CoAP builder is responsible for crafting outgoing CoAP messages. The function sn_coap_builder_calc_needed_packet_data_size_2() is used to calculate the needed memory for the CoAP message from the sn_coap_hdr_s data structure. Both returned_byte_count and src_coap_msg_ptr->payload_len are of type uint16_t. When added together, the result returned_byte_count will wrap around the maximum as shown in line 4. As a result, insufficient buffer is allocated for the corresponding CoAP message.

uint16_t sn_coap_builder_calc_needed_packet_data_size_2(const sn_coap_hdr_s *src_coap_msg_ptr, ...)
{
...
       returned_byte_count += src_coap_msg_ptr->payload_len;
...
}
When the data in the sn_coap_hdr_s is copied into the allocated buffer, out-of-bound memory access will happen (line 4).
```c
static int16_t sn_coap_builder_options_build_add_one_option(..., uint16_t option_len, const uint8_t *option_ptr, ...)
{
...
    	memcpy(dest_packet, option_ptr, option_len);
...
}

In the following, we list other locations which will cause out-of-bound memory accesses rooted in this vulnerability.

mbed-os/features/frameworks/mbed-coap/source/sn_coap_builder.c

Line 1090 in d0686fd

**dst_packet_data_pptr = 0xff;

mbed-os/features/frameworks/mbed-coap/source/sn_coap_builder.c

Line 710 in d0686fd

dest_packet[0] = first_byte + (option_delta << 4);

mbed-os/features/frameworks/mbed-coap/source/sn_coap_builder.c

Line 524 in d0686fd

dest_packet[1] = src_coap_msg_ptr->msg_code;

mbed-os/features/frameworks/mbed-coap/source/sn_coap_builder.c

Line 527 in d0686fd

dest_packet[2] = (uint8_t)(src_coap_msg_ptr->msg_id >> COAP_HEADER_MSG_ID_MSB_SHIFT); /* MSB part */

mbed-os/features/frameworks/mbed-coap/source/sn_coap_builder.c

Line 528 in d0686fd

dest_packet[3] = (uint8_t)src_coap_msg_ptr->msg_id; /* LSB part */

mbed-os/features/frameworks/mbed-coap/source/sn_coap_builder.c

Line 718 in d0686fd

dest_packet[1] = (uint8_t)option_delta;

mbed-os/features/frameworks/mbed-coap/source/sn_coap_builder.c

Line 746 in d0686fd

memcpy(dest_packet, option_ptr, option_len);

Result: Memory corruption.

Target(s) affected by this defect ?

MbedOS CoAP library

Toolchain(s) (name and version) displaying this defect ?

N/A

What version of Mbed-os are you using (tag or sha) ?

MbedOS 5.13.2

What version(s) of tools are you using. List all that apply (E.g. mbed-cli)

mbed-cli latest version

How is this defect reproduced ?

N/A

[0xc0170]

cc @anttiylitokola

[ciarmcom]

Internal Jira reference: https://jira.arm.com/browse/MBOTRIAGE-2328

[JanneKiiskila]

Thank you for this error report, this will be fixed in an upcoming release.

[teetak01]

Thanks @TheSilentDawn

This issue was fixed as part of Mbed OS 5.15.1 release.

#12147

Closing as fixed.