The CoAP server was started using the test_coap_server executable:
cd FreeCoAP/test/test_coap_server
./test_coap_server 1234
Sending the Packet
Sending packets from the client to the client using a series of hexstreams in:
hexstream.txt
Description
A null pointer dereference issue was discovered in coap_client_exchange_blockwise2 function defined in coap_client.c at line 1950. The function coap_msg_get_payload(resp) returns a null pointer which is then passed to memcpy as the source argument, leading to undefined behavior as specified by the C standard.
Crash report
Here is the UBSan report:
../../lib/src/coap_client.c:1950:37: runtime error: null pointer passed as argument 2, which is declared to never be null
/usr/include/string.h:44:28: note: nonnull attribute specified here
#0 0x4d738c in coap_client_exchange_blockwise2 FreeCoAP/test/test_coap_client/../../lib/src/coap_client.c:1950:9
#1 0x4d5c7b in coap_client_exchange_blockwise FreeCoAP/test/test_coap_client/../../lib/src/coap_client.c:1976:15
#2 0x4d1750 in exchange_blockwise FreeCoAP/test/test_coap_client/test_coap_client.c:2316:11
#3 0x4cbb9f in test_exchange_blockwise_func FreeCoAP/test/test_coap_client/test_coap_client.c:2635:15
#4 0x4ef7df in test_run FreeCoAP/test/test_coap_client/../test.c:51:18
#5 0x4c9acc in main FreeCoAP/test/test_coap_client/test_coap_client.c:2963:20
#6 0x7f596c2d20b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#7 0x41c35d in _start (FreeCoAP/test/test_coap_client/test_coap_client+0x41c35d)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../../lib/src/coap_client.c:1950:37 in
Reproduce Info
Build Environment Update
The
Makefile
within thetest_coap_server
directory has been updated to utilizeclang
with sanitizers.Building test_coap_server
Run Instructions
Starting the CoAP Server
The CoAP server was started using the
test_coap_server
executable:Sending the Packet
Sending packets from the client to the client using a series of hexstreams in: hexstream.txt
Description
A null pointer dereference issue was discovered in
coap_client_exchange_blockwise2
function defined incoap_client.c
at line 1950. The functioncoap_msg_get_payload(resp)
returns a null pointer which is then passed tomemcpy
as the source argument, leading to undefined behavior as specified by the C standard.Crash report
Here is the UBSan report: