Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Integer overflow in MbedOS CoAP library parser #12930

Closed
mjurczak opened this issue May 5, 2020 · 8 comments
Closed

Integer overflow in MbedOS CoAP library parser #12930

mjurczak opened this issue May 5, 2020 · 8 comments

Comments

@mjurczak
Copy link

mjurczak commented May 5, 2020

Description of defect

References:

https://github.com/ARMmbed/mbed-os/tree/mbed-os-5.15.3/features/frameworks/mbed-coap

https://github.com/ARMmbed/mbed-coap/tree/v5.1.5

File:

sn_coap_parser.c

Analysis:

Unhandled option length variable roll-over occurs if extended option length encoding is used with >65535 length encoded. The frame is further processed with the result of integer roll-over.

if (option_len == 13) {
option_len = *(*packet_data_pptr + 1) + 13;
(*packet_data_pptr)++;
} else if (option_len == 14) {
if (message_left >= 2){
option_len = *(*packet_data_pptr + 2);
option_len += (*(*packet_data_pptr + 1) << 8) + 269;
(*packet_data_pptr) += 2;
} else {
/* packet_data_pptr would overflow! */
tr_error("sn_coap_parser_options_parse - **packet_data_pptr overflow while resolving option length!");
return -1;
}
}

Type:

  • Integer Overflow or Wraparound

Result:

  • Undetected malformed frame
  • Incorrect packet parsing

Target(s) affected by this defect ?

  • MbedOS mbed-coap library 5.1.5
  • MbedOS 5.15.3

Toolchain(s) (name and version) displaying this defect ?

N/A

What version of Mbed-os are you using (tag or sha) ?

MbedOS 5.15.3

What version(s) of tools are you using. List all that apply (E.g. mbed-cli)

N/A

How is this defect reproduced ?

N/A

@ciarmcom
Copy link
Member

ciarmcom commented May 6, 2020

Thank you for raising this detailed GitHub issue. I am now notifying our internal issue triagers.
Internal Jira reference: https://jira.arm.com/browse/MBOTRIAGE-2659

@0xc0170
Copy link
Member

0xc0170 commented May 6, 2020

cc @teetak01

@teetak01
Copy link
Contributor

teetak01 commented May 6, 2020

Thanks for the reports related to CoAP library. We will go through the findings.

@mjurczak
Copy link
Author

mjurczak commented May 6, 2020

@teetak01 No problem. Let me know if I can assist with reproducing or suggesting fixes.

@teetak01
Copy link
Contributor

teetak01 commented May 7, 2020

Thanks @mjurczak, mbed-coap is developed in https://github.com/ARMmbed/mbed-coap repository.

We would appreciate any contributions and/or feedback there.

@mjurczak
Copy link
Author

A solution proposal:
mjurczak/mbed-coap@4647a68

@teetak01
Copy link
Contributor

Hi @mjurczak we can review the fixes, but we would need you to open PRs vs mbed-coap first,

@mjurczak
Copy link
Author

Hi @teetak01, I understand. I will clean-up the code and commits a bit, and open new PRs targeting specific issues in mbed-coap repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants