The packet_data_pptr is accessed after being incremented by option_len without prior out-of-bound memory check.
The temp_parsed_uri_query_ptr is validated for correct range, but the range valid for temp_parsed_uri_query_ptr is derived from the amount of allocated heap memory, not the input size. Therefore the check of temp_parsed_uri_query_ptr may be insufficient for safe access to the area pointed by packet_data_pptr.
Description of defect
References:
https://github.com/ARMmbed/mbed-os/tree/mbed-os-5.15.3/features/frameworks/mbed-coap
https://github.com/ARMmbed/mbed-coap/tree/v5.1.5
File:
sn_coap_parser.c
Analysis:
If a packet with malformed URI-Query option is provided as input, the parser reads out of the provided input packet memory area.
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Lines 681 to 686 in b6370b4
The packet_data_pptr is accessed after being incremented by option_len without prior out-of-bound memory check.
The temp_parsed_uri_query_ptr is validated for correct range, but the range valid for temp_parsed_uri_query_ptr is derived from the amount of allocated heap memory, not the input size. Therefore the check of temp_parsed_uri_query_ptr may be insufficient for safe access to the area pointed by packet_data_pptr.
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Line 635 in b6370b4
Type:
Result:
Target(s) affected by this defect ?
Toolchain(s) (name and version) displaying this defect ?
N/A
What version of Mbed-os are you using (tag or sha) ?
MbedOS 5.15.3
What version(s) of tools are you using. List all that apply (E.g. mbed-cli)
N/A
How is this defect reproduced ?
Parsing the provided input example input with sn_coap_parser() function.
sn_coap_parser.c:684__read_buffer_overflow.log
The text was updated successfully, but these errors were encountered: