search

Fraunhofer-AISEC / uoscore-uedhoc

OSCORE and EDHOC libraries for or constrained (and non-constrained) devices. See https://arxiv.org/pdf/2103.13832.pdf for more background.
Other
16 stars 11 forks source link

Incorrect calculation of COAP options length #3

Open mrozo opened 3 years ago

mrozo commented 3 years ago

Hi,

COAP RFC, in the chapter 3. Message Format says:

Implementation Note: The byte value 0xFF may also occur within an option length or value, so simple byte-wise scanning for 0xFF is not a viable technique for finding the payload marker. The byte 0xFF has the meaning of a payload marker only where the beginning of another option could occur.

But the uoscore-uedhoc lib uses this technic to calculate size of options buffer:

https://github.com/Fraunhofer-AISEC/uoscore-uedhoc/blob/0b31e1618dadfdbcc81eb81ed7e10b811e2543ba/modules/oscore/src/coap.c#L253

This is a bug and may can be exploited for to attack the device (I am not a security expert - just a hunch). The only valid option to calculate size of all COAP options is to parse them properly.