Memory access beyond the input packet buffer may occur in several places in coap_parse_message() function due to insufficient boundary checks before read access is made. The content of packet beyond the parsed packet is processed as if it was part of the incoming message.
mjurczak
commented
4 years ago
Description of defect
References:
https://github.com/contiki-ng/contiki-ng/tree/release/v4.5
File:
coap.c
Analysis:
Memory access beyond the input packet buffer may occur in several places in coap_parse_message() function due to insufficient boundary checks before read access is made. The content of packet beyond the parsed packet is processed as if it was part of the incoming message.
Minimal pakcet length is not validated priot to mandatory header parsing: https://github.com/contiki-ng/contiki-ng/blob/831b86ac5e79e6b0aaa3f23476581daad6bc7b72/os/net/app-layer/coap/coap.c#L417-L433
Token is read without prior validation if the entire memory is within packet buffer: https://github.com/contiki-ng/contiki-ng/blob/831b86ac5e79e6b0aaa3f23476581daad6bc7b72/os/net/app-layer/coap/coap.c#L447
Option delta and option length bytes are accessed via incremented pointer without verification if the pointer is withing packet buffer: https://github.com/contiki-ng/contiki-ng/blob/831b86ac5e79e6b0aaa3f23476581daad6bc7b72/os/net/app-layer/coap/coap.c#L482-L502
Type:
Result:
Target(s) affected by this defect ?
Patch proposal: https://github.com/contiki-ng/contiki-ng/compare/develop...mjurczak:bugfix/coap_read_out_of_bounds