Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix coap_parse_message() #640

Merged
merged 8 commits into from
Jan 14, 2022
Merged

Fix coap_parse_message() #640

merged 8 commits into from
Jan 14, 2022

Conversation

rettichschnidi
Copy link
Contributor

@rettichschnidi rettichschnidi commented Jan 11, 2022
edited
Loading

@VoodooChild99 has reported buffer overflows and over-reads in coap_parse_message() [1]. As this method is parsing data received over the network (internet), attackers can exploit this weakness.

This PR fixes [1], adds some unit tests for coap_parse_message() and fixes issues found while working this method. More details can be found in the respective commit messages.

Thanks @VoodooChild99 for letting us know and helping on getting this fixed!

[1] https://bugs.eclipse.org/bugs/show_bug.cgi?id=577968

@rettichschnidi
[Bugzilla-577968] coap: Check data length before parsing CoAP header
e440152 
As reported by Chongqing Lei, coap_parse_message() does not check
whether the number of bytes provided by `data` `data_len`) matches or
exceeds the minimal CoAP message size before starting to parse the
header using the bytes pointed at by the `data` parameter. This can lead
to OOB reads, causing all kinds of (remote exploitable) issues.

Example of a DoS attack:
1) Start lwm2mserver:
   `$ examples/server/lwm2mserver`
2) Connect to it
   `$ echo -e -n '\x6e\x8d' | nc -6 -u localhost 5683`
3) lwm2mserver output:
   ```
   > 2 bytes received from [::1]:44955
   6E 8D  n.
   Segmentation fault
   ```
@rettichschnidi
[Bugzilla-577968] coap: Avoid overrunning options field
599fd33 
As reported by Chongqing Lei, coap_parse_message() overruns the options
field in coap_packet_t when the option number is exactly 40.
@rettichschnidi
coap: Add unit tests for coap_parse_message()
240e413 
Testing is not exhaustive, yet surfaces some issues within the function.

This commit has been inspired by and includes a test for an issue found
by Chongqing Lei: coap_parse_message() does not check data_len if
data_len is less than COAP_HEADER_LEN.
This shortcoming is (trivially) remote exploitable. An example of a DoS
attack is included in the report and has been added to the unit tests.

The exposed issues will be fixed by upcoming patches.
@rettichschnidi
coap: Fix some memory safety issues
31924a9 
This fixes some buffer over-read issues uncovered by:
 - reading the code
 - unit tests introduced for coap_parse_message()
 - fuzzing

Chances are that there are even more issues.
@rettichschnidi rettichschnidi force-pushed the gardena/rs/fix-coap_parse_message branch from cc2aa8d to b30e097 Compare January 11, 2022 18:24
@rettichschnidi
coap: Detect payload marker without actual payload
ce2d7ff 
RFC 7252 states:
> The presence of a marker followed by a zero-length payload MUST be
> processed as a message format error.
@rettichschnidi
coap: Detect empty messages with extra data
ce6f2bc 
RFC 7252 regarding Empty Messages:
> A message with a Code of 0.00; neither a request nor a response.
> An Empty message only contains the 4-byte header.

Note: Erroring on requests or responses is not not implemented.
@rettichschnidi
coap: Detect illegal token size
946b40b 
RFC 7252 states:
> Lengths 9-15 are reserved, MUST NOT be sent, and MUST be processed as
> a message format error.
@rettichschnidi
coap: Detect reserved option delta/length values
5a7f7af 
RFC 7252 on Option Delta of 15:
> Reserved for the Payload Marker. If the field is set to this value but
> the entire byte is not the payload marker, this MUST be processed as a
> message format error.

RFC 7252 on Option Length of 15:
> Reserved for future use. If the field is set to this value, it MUST be
> processed as a message format error.
@rettichschnidi rettichschnidi force-pushed the gardena/rs/fix-coap_parse_message branch from b30e097 to 5a7f7af Compare January 12, 2022 02:15
mlasch
mlasch approved these changes Jan 13, 2022
View reviewed changes
Copy link
Contributor

@mlasch mlasch left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work @rettichschnidi! I did some smoke testing and it looks good to me. Also nice to have unittest coverage for the message parser.

@rettichschnidi rettichschnidi merged commit b5bbe36 into eclipse-wakaama:master Jan 14, 2022
@rettichschnidi rettichschnidi deleted the gardena/rs/fix-coap_parse_message branch January 14, 2022 12:12
@rettichschnidi rettichschnidi mentioned this pull request Jan 22, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mlasch mlasch mlasch approved these changes

@tuve tuve Awaiting requested review from tuve

Assignees
No one assigned
Labels
bug security tests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@rettichschnidi @mlasch