Type: Integer overflow
The CoAP builder is responsible for crafting outgoing CoAP messages. The function sn_coap_builder_calc_needed_packet_data_size_2() is used to calculate the needed memory for the CoAP message from the sn_coap_hdr_s data structure. Both returned_byte_count and src_coap_msg_ptr->payload_len are of type uint16_t. When added together, the result returned_byte_count will wrap around the maximum as shown in line 4. As a result, insufficient buffer is allocated for the corresponding CoAP message.
uint16_tsn_coap_builder_calc_needed_packet_data_size_2(const sn_coap_hdr_s *src_coap_msg_ptr, ...)
{
...
returned_byte_count += src_coap_msg_ptr->payload_len;
...
}
When the data in the sn_coap_hdr_s is copied into the allocated buffer, out-of-bound memory access will happen (line 4).
```c
static int16_t sn_coap_builder_options_build_add_one_option(..., uint16_t option_len, constuint8_t *option_ptr, ...)
{
...
memcpy(dest_packet, option_ptr, option_len);
...
}
In the following, we list other locations which will cause out-of-bound memory accesses rooted in this vulnerability.
Description of defect
Reference: https://github.com/ARMmbed/mbed-os/tree/master/features/frameworks/mbed-coap
Function: sn_coap_builder_calc_needed_packet_data_size_2
mbed-os/features/frameworks/mbed-coap/source/sn_coap_builder.c
Line 355 in d0686fd
Type: Integer overflow
The CoAP builder is responsible for crafting outgoing CoAP messages. The function sn_coap_builder_calc_needed_packet_data_size_2() is used to calculate the needed memory for the CoAP message from the sn_coap_hdr_s data structure. Both returned_byte_count and src_coap_msg_ptr->payload_len are of type uint16_t. When added together, the result returned_byte_count will wrap around the maximum as shown in line 4. As a result, insufficient buffer is allocated for the corresponding CoAP message.
In the following, we list other locations which will cause out-of-bound memory accesses rooted in this vulnerability.
mbed-os/features/frameworks/mbed-coap/source/sn_coap_builder.c
Line 1090 in d0686fd
mbed-os/features/frameworks/mbed-coap/source/sn_coap_builder.c
Line 710 in d0686fd
mbed-os/features/frameworks/mbed-coap/source/sn_coap_builder.c
Line 524 in d0686fd
mbed-os/features/frameworks/mbed-coap/source/sn_coap_builder.c
Line 527 in d0686fd
mbed-os/features/frameworks/mbed-coap/source/sn_coap_builder.c
Line 528 in d0686fd
mbed-os/features/frameworks/mbed-coap/source/sn_coap_builder.c
Line 718 in d0686fd
mbed-os/features/frameworks/mbed-coap/source/sn_coap_builder.c
Line 746 in d0686fd
Result: Memory corruption.
Target(s) affected by this defect ?
MbedOS CoAP library
Toolchain(s) (name and version) displaying this defect ?
N/A
What version of Mbed-os are you using (tag or sha) ?
MbedOS 5.13.2
What version(s) of tools are you using. List all that apply (E.g. mbed-cli)
mbed-cli latest version
How is this defect reproduced ?
N/A
The text was updated successfully, but these errors were encountered: