-
Notifications
You must be signed in to change notification settings - Fork 370
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The dataP pointer accesses an invalid address. #514
Comments
I am able to reproduce the segmentation fault with your create command on the server example. The example server calls
My suggestions:
|
I prefer 2) it is the parsing of command line input that fails (ie "syntax error") not a coap message error. |
I might need to revise my comment above. "{}" is legal when creating a new object? (not providing all/any resource information) |
We are talking about SENML JSON OR OLD JSON content format right used for CREATE request? Not so easy question. Currently I would say this is not a valid payload and maybe Leshan should not allow this. @qleisan, @sbertin-telular what do you think ? |
The parsing of "{}" would be done in the server's prv_create_client function. This is independent of the format used for the CREATE request to the client. I don't think this function is even aware of what format will be used for the client communication. It can be SENML JSON, OLD JSON, or a simple integer for object ID 31024. The instance ID may be in the URI part of the command. Hypothetically, a create with no resources could be valid if all resources are optional. I'm not sure what the usefulness of such an object would be, but we should probably allow the CREATE to go to the client if we can. At the least it could be useful for checking that the client would reject it when there is a single required resource. |
You mean this is a dedicated format used for example command line ? (I guess it looks like OLD JSON or something like this?)
I understand this is not allowed see (transport§6.4.4-Device-Management-and-Service-Enablement-Interface)
Unless again you talk about the URI of the command line ?
Only if format allow it and I'm not sure this is allowed for SENML JSON or OLD JSON for reason I exposed above but I could be wrong. |
This was all about parsing of the command line.
I haven't checked if any of the formats allow it. |
If I correctly understand there is an issue with server example command line parsing. But is there also an issue at client side where an invalid request could make crash the lwm2m client/device ? |
The lwm2m_dm_create() function only exists in the server. This is not an issue on the client. |
@Lkerenl-h If I'm not wrong you opened an security issue saying that a DoS attack could be made using this issue. |
@sbernard31 Yes, this problem can only be triggered in the sample server command line. |
But I'm not sure if there is a similar problem elsewhere, which will pass the wrong dataP to the lwm2m_dm_create function for parsing. |
Unless I missed something, I think you're right and we should :
Sometime 2) is enough but It could be less bug resilient and is not adapted when inputs come from "uncontrolled" source (like a foreign peer or a user) |
I agree, we should check the inputs. That probably applies for any lwm2m_* function. Those are the ones intended to be called from outside code. |
I just grepped the code and there is exactly one call to lwm2m_dm_create(). That is in the example server. Whether other server implementations exist using Wakaama that could cause the same problem, I can't say. |
The "naive" solution to the problem (segmentation fault when executing server command create 0 /123 {}
is replaced by
however I am far from convinced that this solution is the best/correct one and the problem grows a lot when taking the more holistic view... |
A little too naïve. That might handle this specific case, but we would need to check all the pointers passed in (except callback and userData) for NULL at the top of the function and return COAP_400_BAD_REQUEST if any are NULL. I'm having second thoughts about checking all the inputs to lwm2m_* functions. It could increase the code size with little benefit over a clearly defined function contract. Code size is important if it is to be used on small embedded devices. |
Just an Idea but maybe we could add a #ifdef which allow to keep or remove this inputs checks ? |
I propose the code introduce a check here that returns an error if After this point the code checks if |
Right now several formats could be vaild. SENML JSON, old JSOM, or just an integer for object 31024. If the check is after all the possible parsing, I'm good with that. I just don't want to fail with the first format tried. |
Issue eclipse-wakaama#514 Signed-off-by: Leif Sandstrom <leif.sandstrom@husqvarnagroup.com>
Issue #514 Signed-off-by: Leif Sandstrom <leif.sandstrom@husqvarnagroup.com>
@sbernard31 @sbertin-telular - the fix is merged, can we close this issue? |
@Lkerenl-h this should be fixed in master. Could you check if it works for you ? 🙏 @qleisan, @sbertin-telular do we need a more general issue about : checking inputs for any lwm2m_* function. (#514 (comment)) |
lwm2m_dm_create() in core/management.c
When the
lwm2mserver
of the example is used, if you entercreate 0 /123 {}
. segmentation faultThe text was updated successfully, but these errors were encountered: