search

keith-cullen / FreeCoAP

An implementation of a CoAP client, a CoAP server and a HTTP/CoAP proxy with full DTLS support.
132 stars 38 forks source link

Bug: Null Pointer Dereference Detected in coap_client.c at coap_client_exchange_blockwise2 Function #37

Open dqp10515 opened 1 month ago

dqp10515 commented 1 month ago

Reproduce Info

Build Environment Update

The Makefile within the test_coap_server directory has been updated to utilize clang with sanitizers. 

 I1 = ../../lib/include
 S1 = ../../lib/src
-CC_ ?= gcc
-CFLAGS = -Wall \
+CC_ ?= clang
+CFLAGS = -Wall -g -fsanitize=address,undefined -fno-omit-frame-pointer\
          -I $(I1)
 CFLAGS += $(IP6_CFLAGS)
 CFLAGS += $(DTLS_CFLAGS)
-LD_ ?= gcc
-LDFLAGS =
+LD_ ?= clang
+LDFLAGS = -fsanitize=address,undefined
 INCS = $(I1)/coap_server.h \
        $(I1)/coap_msg.h \
        $(I1)/coap_mem.h \

Building test_coap_server

cd FreeCoAP/test/test_coap_server
make dtls=n

Run Instructions

Starting the CoAP Server

The CoAP server was started using the test_coap_server executable:

cd FreeCoAP/test/test_coap_server
./test_coap_server 1234

Sending the Packet

Sending packets from the client to the client using a series of hexstreams in: hexstream.txt

Description

A null pointer dereference issue was discovered in coap_client_exchange_blockwise2 function defined in coap_client.c at line 1950. The function coap_msg_get_payload(resp) returns a null pointer which is then passed to memcpy as the source argument, leading to undefined behavior as specified by the C standard.

Crash report

Here is the UBSan report:

../../lib/src/coap_client.c:1950:37: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
    #0 0x4d738c in coap_client_exchange_blockwise2 FreeCoAP/test/test_coap_client/../../lib/src/coap_client.c:1950:9
    #1 0x4d5c7b in coap_client_exchange_blockwise FreeCoAP/test/test_coap_client/../../lib/src/coap_client.c:1976:15
    #2 0x4d1750 in exchange_blockwise FreeCoAP/test/test_coap_client/test_coap_client.c:2316:11
    #3 0x4cbb9f in test_exchange_blockwise_func FreeCoAP/test/test_coap_client/test_coap_client.c:2635:15
    #4 0x4ef7df in test_run FreeCoAP/test/test_coap_client/../test.c:51:18
    #5 0x4c9acc in main FreeCoAP/test/test_coap_client/test_coap_client.c:2963:20
    #6 0x7f596c2d20b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #7 0x41c35d in _start (FreeCoAP/test/test_coap_client/test_coap_client+0x41c35d)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../lib/src/coap_client.c:1950:37 in