You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If a packet with option delta equal to 13 or 14 is parsed with no extended option delta following, access beyond the packet data buffer is made due to insufficient message length checks:
In case of option delta set to 14, the extended delta bytes are accessed with insufficient index check. As the message_left variable includes the option delta byte, the check will pass malformed frame if there is only one extended delta byte following:
Description of defect
References:
https://github.com/ARMmbed/mbed-os/tree/mbed-os-5.15.3/features/frameworks/mbed-coap
https://github.com/ARMmbed/mbed-coap/tree/v5.1.5
File:
sn_coap_parser.c
Analysis:
If a packet with option delta equal to 13 or 14 is parsed with no extended option delta following, access beyond the packet data buffer is made due to insufficient message length checks:
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Lines 309 to 322 in b6370b4
Before option number processing the message left bytes is calculated including the option delta/option length byte:
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Line 298 in b6370b4
In case of option delta set to 13, the extended delta byte is accessed in the following line without prior check for buffer out-of-bound index:
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Line 310 in b6370b4
In case of option delta set to 14, the extended delta bytes are accessed with insufficient index check. As the message_left variable includes the option delta byte, the check will pass malformed frame if there is only one extended delta byte following:
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Lines 312 to 315 in b6370b4
Type:
Result:
Target(s) affected by this defect ?
Toolchain(s) (name and version) displaying this defect ?
N/A
What version of Mbed-os are you using (tag or sha) ?
MbedOS 5.15.3
What version(s) of tools are you using. List all that apply (E.g. mbed-cli)
N/A
How is this defect reproduced ?
Parsing the provided input example input with sn_coap_parser() function.
sn_coap_parser.c:310__read_buffer_overflow_minimal.log
sn_coap_parser.c:314__read_buffer_overflow_minimal.log
The text was updated successfully, but these errors were encountered: