If a packet with option length equal to 13 or 14 is set with no extended option length following, access beyond the provided packet buffer is made due to insufficient message length checks:
In case of option length set to 14, the extended length bytes are accessed with insufficient out-of-boudnds condition checks. As the message_left variable includes the option length byte, the check will pass malformed frame if there is only one extended length byte following:
Description of defect
References:
https://github.com/ARMmbed/mbed-os/tree/mbed-os-5.15.3/features/frameworks/mbed-coap
https://github.com/ARMmbed/mbed-coap/tree/v5.1.5
File:
sn_coap_parser.c
Analysis:
If a packet with option length equal to 13 or 14 is set with no extended option length following, access beyond the provided packet buffer is made due to insufficient message length checks:
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Lines 341 to 354 in b6370b4
Before option length processing the message left bytes is calculated including the option delta/option length byte:
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Line 329 in b6370b4
In case of option length set to 13, the extended delta length is accessed in the following line without prior check for buffer out-of-bound condition:
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Line 343 in b6370b4
In case of option length set to 14, the extended length bytes are accessed with insufficient out-of-boudnds condition checks. As the message_left variable includes the option length byte, the check will pass malformed frame if there is only one extended length byte following:
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Lines 345 to 348 in b6370b4
Type:
Result:
Target(s) affected by this defect ?
Toolchain(s) (name and version) displaying this defect ?
N/A
What version of Mbed-os are you using (tag or sha) ?
MbedOS 5.15.3
What version(s) of tools are you using. List all that apply (E.g. mbed-cli)
N/A
How is this defect reproduced ?
Parsing the provided input example input with sn_coap_parser() function.
sn_coap_parser.c:346__read_buffer_overflow_minimal.log
sn_coap_parser.c:342__read_buffer_overflow_minimal.log
The text was updated successfully, but these errors were encountered: