The packet data pointer is not incremented prior to the remaining message length calculation and therefore it does not account for the option byte. This allows a malformed message with not option value following to pass through message length check in the line:
As a general advice, a single function to increment the current packet data buffer with boundary check (under/over-flow) is recommended.
A structure with incoming packet buffer boundaries (start pointer, length) and current position could then be passed around in the parser. Each function willing to increment the current pointer would be required to do it by calling a function that increments the pointer and validates it.
Description of defect
References:
https://github.com/ARMmbed/mbed-os/tree/mbed-os-5.15.3/features/frameworks/mbed-coap
https://github.com/ARMmbed/mbed-coap/tree/v5.1.5
File:
sn_coap_parser.c
Analysis:
If a packet with option delta lower than 13 is parsed, the remaning message length is incorrectly calculated in the line:
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Line 329 in b6370b4
The packet data pointer is not incremented prior to the remaining message length calculation and therefore it does not account for the option byte. This allows a malformed message with not option value following to pass through message length check in the line:
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Lines 331 to 335 in b6370b4
For short options length the remaining message length is unchanged after option lengh processing:
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Line 361 in b6370b4
Allowing to pass throught final message length check:
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Lines 391 to 395 in b6370b4
In option processing code the packet data pointer is incremented beyond the input buffer boundary and passed for further processing, e.g. in:
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Line 529 in b6370b4
The invalid pointer is then accessed by functions called from option processing code, e.g. in:
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Line 257 in b6370b4
Type:
Result:
Target(s) affected by this defect ?
Toolchain(s) (name and version) displaying this defect ?
N/A
What version of Mbed-os are you using (tag or sha) ?
MbedOS 5.15.3
What version(s) of tools are you using. List all that apply (E.g. mbed-cli)
N/A
How is this defect reproduced ?
Parsing the provided input example input with sn_coap_parser() function.
sn_coap_parser.c:257__read_buffer_overflow.log
The text was updated successfully, but these errors were encountered: