Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Memory overwrite in message_send (allocLen and pktBufferLen are not the same) #105

Closed
ieei0214 opened this issue Mar 10, 2016 · 1 comment
Closed

Memory overwrite in message_send (allocLen and pktBufferLen are not the same) #105

ieei0214 opened this issue Mar 10, 2016 · 1 comment

Comments

@ieei0214
Copy link
Contributor

Hi,

The size of coap_serialize_get_size() doesn't match the size of coap_serialize_message(). It will cause memory overwrite.

allocLen=51 pktBufferLen=57

`coap_status_t message_send(lwm2m_context_t * contextP,
coap_packet_t * message,
void * sessionH)
{
coap_status_t result = INTERNAL_SERVER_ERROR_5_00;
uint8_t * pktBuffer;
size_t pktBufferLen = 0;
size_t allocLen;

allocLen = coap_serialize_get_size(message);
printf("allocLen=%d\n", allocLen);
if (allocLen == 0) return COAP_500_INTERNAL_SERVER_ERROR;

pktBuffer = (uint8_t *)lwm2m_malloc(allocLen);
if (pktBuffer != NULL)
{
    pktBufferLen = coap_serialize_message(message, pktBuffer);
    printf("pktBufferLen=%d\n", pktBufferLen);
    if (0 != pktBufferLen)
    {
        result = lwm2m_buffer_send(sessionH, pktBuffer, pktBufferLen, contextP->userData);
    }
    lwm2m_free(pktBuffer);
}

return result;

}
`

Trying to bind LWM2M Client to port 56830
LWM2M Client "testlwm2mclient" started on port 56830

Opening connection to server at leshan.eclipse.org:5683
Sending 153 bytes to [5.39.83.206]:5683
44 02 71 5F 5F 71 03 0C B2 72 64 11 28 3D 05 65 D.q__q...rd.(=.e
70 3D 74 65 73 74 6C 77 6D 32 6D 63 6C 69 65 6E p=testlwm2mclien
74 03 62 3D 55 06 6C 74 3D 33 30 30 FF 3C 2F 3E t.b=U.lt=300.</>
3B 72 74 3D 22 6F 6D 61 2E 6C 77 6D 32 6D 22 3B ;rt="oma.lwm2m";
63 74 3D 31 35 34 33 2C 3C 2F 31 2F 30 3E 2C 3C ct=1543,</1/0>,<
2F 33 2F 30 3E 2C 3C 2F 35 2F 30 3E 2C 3C 2F 36 /3/0>,</5/0>,</6
2F 30 3E 2C 3C 2F 31 30 32 34 2F 31 30 3E 2C 3C /0>,</1024/10>,<
2F 31 30 32 34 2F 31 31 3E 2C 3C 2F 31 30 32 34 /1024/11>,</1024
2F 31 32 3E 2C 3C 2F 34 2F 30 3E 2C 3C 2F 37 2F /12>,</4/0>,</7/
30 3E 2C 3C 2F 32 2F 30 3E 0>,</2/0>
22 bytes received from [5.39.83.206]:5683
64 41 71 5F 5F 71 03 0C 82 72 64 0A 78 4B 52 77 dAq__q...rd.xKRw
4F 50 41 4D 59 38 OPAMY8
19 bytes received from [5.39.83.206]:5683
47 01 14 8D 5D A7 F4 AE B9 46 2C B4 31 30 32 34 G...]....F,.1024
02 31 30 .10
allocLen=51
pktBufferLen=57
Sending 57 bytes to [5.39.83.206]:5683
67 45 14 8D 5D A7 F4 AE B9 46 2C C2 06 07 FF 7B gE..]....F,....{
22 65 22 3A 5B 7B 22 6E 22 3A 22 31 22 2C 22 76 "e":[{"n":"1","v
22 3A 32 30 7D 2C 7B 22 6E 22 3A 22 33 22 2C 22 ":20},{"n":"3","
76 22 3A 2D 33 30 7D 5D 7D v":-30}]}
ieei0214 pushed a commit to ieei0214/wakaama that referenced this issue Mar 10, 2016
Fix for issue eclipse-wakaama#105: memory overwrite in message_send.
31f8db0 
coap_serialize_get_size need to add token_len.

Signed-off-by: Ricky Liu <ricky.jh.liu@wnc.com.tw>
ieei0214 added a commit to ieei0214/wakaama that referenced this issue Mar 10, 2016
@ieei0214
Fix for issue eclipse-wakaama#105: memory overwrite in message_send.
34191e2 
coap_serialize_get_size need to add token_len.

Signed-off-by: Ricky Liu <ieei.liu@gmail.com>
dnav added a commit that referenced this issue Mar 10, 2016
@dnav
Merge pull request #107 from ieei0214/fix_issue_105
78a6d52 
Fix for issue #105: memory overwrite in message_send.
@dnav
Copy link
Contributor

dnav commented Mar 10, 2016

Fixed by #107

@dnav dnav closed this as completed Mar 10, 2016
vslapik pushed a commit to vslapik/wakaama that referenced this issue Apr 20, 2017
@ieei0214
Fix for issue eclipse-wakaama#105: memory overwrite in message_send.
97bb380 
coap_serialize_get_size need to add token_len.

Signed-off-by: Ricky Liu <ieei.liu@gmail.com>
vslapik pushed a commit to vslapik/wakaama that referenced this issue Apr 20, 2017
@dnav
Merge pull request eclipse-wakaama#107 from ieei0214/fix_issue_105
9e818e9 
Fix for issue eclipse-wakaama#105: memory overwrite in message_send.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dnav @ieei0214