Bug: Null Pointer Dereference Detected in test_coap_server.c at server_handle_regular Function

[dqp10515]

Reproduce Info

Version：v0.7

Build Environment Update

The Makefile within the test_coap_server directory have been updated to utilize clang with sanitizers.

 I1 = ../../lib/include
 S1 = ../../lib/src
-CC_ ?= gcc
-CFLAGS = -Wall \
+CC_ ?= clang
+CFLAGS = -Wall -g -fsanitize=address,undefined -fno-omit-frame-pointer\
          -I $(I1)
 CFLAGS += $(IP6_CFLAGS)
 CFLAGS += $(DTLS_CFLAGS)
-LD_ ?= gcc
-LDFLAGS =
+LD_ ?= clang
+LDFLAGS = -fsanitize=address,undefined
 INCS = $(I1)/coap_server.h \
        $(I1)/coap_msg.h \
        $(I1)/coap_mem.h \

Building test_coap_server

cd FreeCoAP/test/test_coap_server
make dtls=n

Run Instructions

Starting the CoAP Server

The CoAP server was started using the test_coap_server executable:

cd FreeCoAP/test/test_coap_server
./test_coap_server

Sending a Packet

The packet was sent to the server using the following command:

echo -n "4402c6347d0fbbf3bd05657565756575657565756575657565756575" | xxd -r -p | nc -u 0.0.0.0 12436

The packet's structure is as follows:

• ver = 1
• type = CON
• tkl = 4
• code = POST
• msg_id = 50740
• token = '}\x0f\xbb\xf3'
• options = [('Uri-Path', b'eueueueueueueueueu')]
• paymark = ''

The hex representation of the datagram sent to the server is as follows:

4402c6347d0fbbf3bd05657565756575657565756575657565756575

Description

The server application encountered a runtime error detected by UndefinedBehaviorSanitizer (UBSan) during the execution of routine tasks. UBSan identified a null pointer being passed as the second argument to the memcpy function, which is explicitly declared to never accept a null pointer according to the annotations in string.h. The specific error was reported within the server_handle_regular function of test_coap_server.c.

Crash report

log of server：

Info   : Received confirmable request from address 127.0.0.1 and port 58854
Info   : Request URI path requires a piggy-backed response to address 127.0.0.1 and port 58854
Info   : Responding to address 127.0.0.1 and port 58854
Notice : handle regular
Received:
ver:         0x01
type:        0x00
token_len:   4
code_class:  0
code_detail: 1
msg_id:      0x26c4
token:       0x88 0x18 0x8c 0x3d
op[0].num:   11
op[0].len:   7
op[0].val:   0x72 0x65 0x67 0x75 0x6c 0x61 0x72
payload:     
payload_len: 0
Sent: 
ver:         0x01
type:        0x00
token_len:   0
code_class:  2
code_detail: 5
msg_id:      0x0000
token:      
payload:     qwertyuiopasdfgh
payload_len: 16

Here is the UBSan report:

test_coap_server.c:361:29: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
    #0 0x4cb239 in server_handle_regular FreeCoAP/test/test_coap_server/test_coap_server.c:361:9
    #1 0x4c8e1b in server_handle FreeCoAP/test/test_coap_server/test_coap_server.c:616:15
    #2 0x4db596 in coap_server_exchange FreeCoAP/lib/src/coap_server.c:2440:15
    #3 0x4d7c1f in coap_server_run FreeCoAP/lib/src/coap_server.c:2559:15
    #4 0x4c8b95 in main FreeCoAP/test/test_coap_server/test_coap_server.c:747:11
    #5 0x7fa12859d0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #6 0x41c36d in _start (FreeCoAP/test/test_coap_server/test_coap_server+0x41c36d)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior test_coap_server.c:361:29 in 

[keith-cullen]

Fixed.