You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The parser assumes in sn_coap_parser_options_parse_multiple_options() that options with the same number can occur only adjacent to each other using zero delta after the first option with a given number.
This is not true due to integer overflow in option number addition which makes it possible to craft a packet with multiple options resulting in the same option number in arbitrary order.
In conjunction with lack of verification of pointers to allocated memory before rewriting the pointer with newly allocated space it may lead to memory leak due to memory buffer orphaning.
Integer overflow is described in detail in: #12930
If more than one occurence of option with the same number is encountered by sn_coap_parser_options_parse(), the sn_coap_parser_options_parse_multiple_options() may allocate new memory buffer and overwrite pointer pointing to previously allocated memory space in:
Hi @mjurczak,
We checked your proposal here and we can definitely take the contribution so if you can please open a Pull Request to http://github.com/ARMmbed/mbed-coap we can officially review and take it in and make it back to mbed-os repo.
Description of defect
References:
https://github.com/ARMmbed/mbed-os/tree/mbed-os-5.15.3/features/frameworks/mbed-coap
https://github.com/ARMmbed/mbed-coap/tree/v5.1.5
File:
sn_coap_parser.c
Example Trace (64 Byte leak):
Example Trace (double 8 Byte leak):
Analysis:
If a packet with multiple options with the same effective option number, but with non-zero delta is processed it may lead to memory leak.
This issue is related to:
#12930
The parser assumes in sn_coap_parser_options_parse_multiple_options() that options with the same number can occur only adjacent to each other using zero delta after the first option with a given number.
This is not true due to integer overflow in option number addition which makes it possible to craft a packet with multiple options resulting in the same option number in arbitrary order.
In conjunction with lack of verification of pointers to allocated memory before rewriting the pointer with newly allocated space it may lead to memory leak due to memory buffer orphaning.
Integer overflow is described in detail in:
#12930
uint16 variable overflow can happen at:
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Lines 309 to 322 in b6370b4
and
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Line 338 in b6370b4
If more than one occurence of option with the same number is encountered by sn_coap_parser_options_parse(), the sn_coap_parser_options_parse_multiple_options() may allocate new memory buffer and overwrite pointer pointing to previously allocated memory space in:
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Lines 434 to 441 in b6370b4
or
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Lines 497 to 500 in b6370b4
or
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Lines 510 to 513 in b6370b4
or
mbed-os/features/frameworks/mbed-coap/source/sn_coap_parser.c
Lines 535 to 538 in b6370b4
As a result the previously allocated buffer is orphaned and never freed.
Patch proposal:
mjurczak/mbed-coap@4647a68
Type:
Result:
Target(s) affected by this defect ?
Toolchain(s) (name and version) displaying this defect ?
N/A
What version of Mbed-os are you using (tag or sha) ?
MbedOS 5.15.3
What version(s) of tools are you using. List all that apply (E.g. mbed-cli)
N/A
How is this defect reproduced ?
Parsing the provided input example input with sn_coap_parser() function.
mem_leak_8B_double_option.log
mem_leak_16B_triple_option.log
mem_leak_64B_double_option.log
The text was updated successfully, but these errors were encountered: