If a packet with an option processed by parse_multiple_options() function and declared zero option length is encountered, the parser enters an infinite loop.
while ((temp_parsed_uri_query_ptr - *dst_pptr) < uri_query_needed_heap) {
Which leaves (*packet_data_pptr) unmodified, pointing at the same option which leads to sn_coap_parser_options_parse() looping over the same option in an infinite loop.
Type:
Remote Denial Of Service
Excessive resources usage (CPU time)
System overload
Result:
The procedure loops infinitely
Target(s) affected by this defect ?
MbedOS mbed-coap library 5.1.5
MbedOS 5.15.3
Toolchain(s) (name and version) displaying this defect ?
N/A
What version of Mbed-os are you using (tag or sha) ?
MbedOS 5.15.3
What version(s) of tools are you using. List all that apply (E.g. mbed-cli)
N/A
How is this defect reproduced ?
Parsing the provided input example input with sn_coap_parser() function.
Description of defect
References:
https://github.com/ARMmbed/mbed-os/tree/mbed-os-5.15.3/features/frameworks/mbed-coap
https://github.com/ARMmbed/mbed-coap/tree/v5.1.5
File:
sn_coap_parser.c
Analysis:
If a packet with an option processed by parse_multiple_options() function and declared zero option length is encountered, the parser enters an infinite loop.
Example entry point with zero-length option_len:
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Lines 498 to 501 in b6370b4
Together with message_left equal to 1 this results in zero-length needed heap calculation result:
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Line 635 in b6370b4
With zero length heap allocation the function exits early without entering the main processing loop:
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Lines 652 to 657 in b6370b4
Which leaves (*packet_data_pptr) unmodified, pointing at the same option which leads to sn_coap_parser_options_parse() looping over the same option in an infinite loop.
Type:
Result:
Target(s) affected by this defect ?
Toolchain(s) (name and version) displaying this defect ?
N/A
What version of Mbed-os are you using (tag or sha) ?
MbedOS 5.15.3
What version(s) of tools are you using. List all that apply (E.g. mbed-cli)
N/A
How is this defect reproduced ?
Parsing the provided input example input with sn_coap_parser() function.
hang1.log
hang_minimal.log
The text was updated successfully, but these errors were encountered: