Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
References:
https://github.com/ARMmbed/mbed-os/tree/mbed-os-5.15.3/features/frameworks/mbed-coap
https://github.com/ARMmbed/mbed-coap/tree/v5.1.5
File:
sn_coap_parser.c
Analysis:
If a packet with declared token length larger than actually provided is parsed, read out of the provided input buffer boundaries may occur.
Invalid memory access may occur in sn_coap_protocol_malloc_copy() as there is no check to verify if the arguments are within input buffer boundaries:
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Lines 279 to 288 in b6370b4
Type:
Result:
Patch proposal:
https://github.com/mjurczak/mbed-coap/tree/bugfix/buffer_read_out_of_bounds
N/A
MbedOS 5.15.3
Parsing the provided input example input with sn_coap_parser() function.
#include <stdint.h> #include <stdlib.h> #include <stdio.h> #include "sn_coap_protocol.h" #include "sn_coap_header.h" struct coap_s* coapHandle; coap_version_e coapVersion = COAP_VERSION_1; void* coap_malloc(uint16_t size){ return malloc(size); } void coap_free(void* addr){ free(addr); } uint8_t coap_tx_cb(uint8_t *arg_a, uint16_t arg_b, sn_nsdl_addr_s *arg_c, void *arg_d){ return 0; } int8_t coap_rx_cb(sn_coap_hdr_s *arg_a, sn_nsdl_addr_s *arg_b, void *arg_c){ return 0; } int main(int argc, const char* argv[]) { FILE *fp; size_t read_bytes; size_t input_size; uint8_t *message_buffer; if (argc != 2) { return 1; } fp = fopen(argv[1], "r"); if (fp == NULL) { return 2; } fseek (fp , 0 , SEEK_END); input_size = ftell(fp); rewind (fp); if (input_size > 65527) { return 3; } message_buffer = malloc(input_size); read_bytes = fread(message_buffer, 1, input_size, fp); fclose(fp); coapHandle = sn_coap_protocol_init(&coap_malloc, &coap_free, &coap_tx_cb, &coap_rx_cb); sn_coap_hdr_s* parsed = sn_coap_parser(coapHandle, read_bytes, message_buffer, &coapVersion); sn_coap_parser_release_allocated_coap_msg_mem(coapHandle, parsed); free(message_buffer); return 0; }
sn_coap_parser.c:token_overflow.log
The text was updated successfully, but these errors were encountered:
Thank you for raising this detailed GitHub issue. I am now notifying our internal issue triagers. Internal Jira reference: https://jira.arm.com/browse/MBOTRIAGE-2669
Sorry, something went wrong.
No branches or pull requests
Description of defect
References:
https://github.com/ARMmbed/mbed-os/tree/mbed-os-5.15.3/features/frameworks/mbed-coap
https://github.com/ARMmbed/mbed-coap/tree/v5.1.5
File:
sn_coap_parser.c
Analysis:
If a packet with declared token length larger than actually provided
is parsed, read out of the provided input buffer boundaries may occur.
Invalid memory access may occur in sn_coap_protocol_malloc_copy() as there is no check to verify if the arguments are within input buffer boundaries:
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Lines 279 to 288 in b6370b4
Type:
Result:
Patch proposal:
https://github.com/mjurczak/mbed-coap/tree/bugfix/buffer_read_out_of_bounds
Target(s) affected by this defect ?
Toolchain(s) (name and version) displaying this defect ?
N/A
What version of Mbed-os are you using (tag or sha) ?
MbedOS 5.15.3
What version(s) of tools are you using. List all that apply (E.g. mbed-cli)
N/A
How is this defect reproduced ?
Parsing the provided input example input with sn_coap_parser() function.
sn_coap_parser.c:token_overflow.log
The text was updated successfully, but these errors were encountered: