You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If a packet with an option processed by parse_multiple_options() function and declared zero option length is encountered, the parser enters an infinite loop.
while ((temp_parsed_uri_query_ptr-*dst_pptr) <uri_query_needed_heap) {
Which leaves (*packet_data_pptr) unmodified, pointing at the same option which leads to sn_coap_parser_options_parse() looping over the same option in an infinite loop.
Type:
Remote Denial Of Service
Excessive resources usage (CPU time)
System overload
Result:
The procedure loops infinitely
Target(s) affected by this defect ?
MbedOS mbed-coap library 5.1.5
MbedOS 5.15.3
Toolchain(s) (name and version) displaying this defect ?
N/A
What version of Mbed-os are you using (tag or sha) ?
MbedOS 5.15.3
What version(s) of tools are you using. List all that apply (E.g. mbed-cli)
N/A
How is this defect reproduced ?
Parsing the provided input example input with sn_coap_parser() function.
Description of defect
References:
https://github.com/ARMmbed/mbed-os/tree/mbed-os-5.15.3/features/frameworks/mbed-coap
https://github.com/ARMmbed/mbed-coap/tree/v5.1.5
File:
sn_coap_parser.c
Analysis:
If a packet with an option processed by parse_multiple_options() function and declared zero option length is encountered, the parser enters an infinite loop.
Example entry point with zero-length option_len:
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Lines 498 to 501 in b6370b4
Together with message_left equal to 1 this results in zero-length needed heap calculation result:
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Line 635 in b6370b4
With zero length heap allocation the function exits early without entering the main processing loop:
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Lines 652 to 657 in b6370b4
Which leaves (*packet_data_pptr) unmodified, pointing at the same option which leads to sn_coap_parser_options_parse() looping over the same option in an infinite loop.
Type:
Result:
Target(s) affected by this defect ?
Toolchain(s) (name and version) displaying this defect ?
N/A
What version of Mbed-os are you using (tag or sha) ?
MbedOS 5.15.3
What version(s) of tools are you using. List all that apply (E.g. mbed-cli)
N/A
How is this defect reproduced ?
Parsing the provided input example input with sn_coap_parser() function.
hang1.log
hang_minimal.log
The text was updated successfully, but these errors were encountered: