Merge pull request #12147 from ristohuhtala/mbed-coap-builder-uint-overflow

0xc0170 · web-flow · commit de798c4f379a · 2020-01-02T13:51:14.000Z
mbed-coap uint16 overflow fix
diff --git a/features/frameworks/mbed-coap/CHANGELOG.md b/features/frameworks/mbed-coap/CHANGELOG.md
@@ -1,5 +1,13 @@
 # Change Log
 
+## [v5.1.3](https://github.com/ARMmbed/mbed-coap/releases/tag/v5.1.3)
+
+- Fix potential integer overflow when calculating CoAP data packet size: IOTCLT-3748 CVE-2019-17211 - mbed-coap integer overflow
+- Fix buffer overflow when parsing CoAP message: IOTCLT-3749 CVE-2019-17212 - mbed-coap Buffer overflow
+
+-[Full Changelog](https://github.com/ARMmbed/mbed-coap/compare/v5.1.2...v5.1.3)
+
+
 ## [v5.1.2](https://github.com/ARMmbed/mbed-coap/releases/tag/v5.1.2)
 
 - Compiler warning cleanups.
diff --git a/features/frameworks/mbed-coap/source/sn_coap_builder.c b/features/frameworks/mbed-coap/source/sn_coap_builder.c
@@ -155,7 +155,7 @@ uint16_t sn_coap_builder_calc_needed_packet_data_size(const sn_coap_hdr_s *src_c
 uint16_t sn_coap_builder_calc_needed_packet_data_size_2(const sn_coap_hdr_s *src_coap_msg_ptr, uint16_t blockwise_payload_size)
 {
     (void)blockwise_payload_size;
-    uint16_t returned_byte_count = 0;
+    uint_fast32_t returned_byte_count = 0;
 
     if (!src_coap_msg_ptr) {
         return 0;
@@ -176,7 +176,6 @@ uint16_t sn_coap_builder_calc_needed_packet_data_size_2(const sn_coap_hdr_s *src
                 tr_error("sn_coap_builder_calc_needed_packet_data_size_2 - token too large!");
                 return 0;
             }
-
             returned_byte_count += src_coap_msg_ptr->token_len;
         }
         /* URI PATH - Repeatable option. Length of one option is 0-255 */
@@ -198,7 +197,6 @@ uint16_t sn_coap_builder_calc_needed_packet_data_size_2(const sn_coap_hdr_s *src
                 tr_error("sn_coap_builder_calc_needed_packet_data_size_2 - content format too large!");
                 return 0;
             }
-
             returned_byte_count += sn_coap_builder_options_build_add_uint_option(NULL, src_coap_msg_ptr->content_format, COAP_OPTION_CONTENT_FORMAT, &tempInt);
         }
         /* If options list pointer exists */
@@ -212,7 +210,6 @@ uint16_t sn_coap_builder_calc_needed_packet_data_size_2(const sn_coap_hdr_s *src
                     tr_error("sn_coap_builder_calc_needed_packet_data_size_2 - accept too large!");
                     return 0;
                 }
-
                 returned_byte_count += sn_coap_builder_options_build_add_uint_option(NULL, src_options_list_ptr->accept, COAP_OPTION_ACCEPT, &tempInt);
             }
             /* MAX AGE - An integer option, omitted for default. Up to 4 bytes */
@@ -266,7 +263,6 @@ uint16_t sn_coap_builder_calc_needed_packet_data_size_2(const sn_coap_hdr_s *src
                     tr_error("sn_coap_builder_calc_needed_packet_data_size_2 - uri host too large!");
                     return 0;
                 }
-
                 returned_byte_count += src_options_list_ptr->uri_host_len;
             }
             /* LOCATION PATH - Repeatable option. Length of this option is 0-255 bytes*/
@@ -359,8 +355,13 @@ uint16_t sn_coap_builder_calc_needed_packet_data_size_2(const sn_coap_hdr_s *src
         }
         returned_byte_count += sn_coap_builder_options_calculate_jump_need(src_coap_msg_ptr);
     }
-    return returned_byte_count;
+    if (returned_byte_count > UINT16_MAX) {
+        tr_error("sn_coap_builder_calc_needed_packet_data_size_2 - packet data size would overflow!");
+        return 0;
+    }
+    return (uint16_t)returned_byte_count;
 }
+
 /**
  * \fn static uint8_t sn_coap_builder_options_calculate_jump_need(sn_coap_hdr_s *src_coap_msg_ptr)
  *

Original file line number	Diff line number	Diff line change
`@@ -155,7 +155,7 @@ uint16_t sn_coap_builder_calc_needed_packet_data_size(const sn_coap_hdr_s *src_c`
`155`	`155`	`uint16_t sn_coap_builder_calc_needed_packet_data_size_2(const sn_coap_hdr_s *src_coap_msg_ptr, uint16_t blockwise_payload_size)`
`156`	`156`	`{`
`157`	`157`	`(void)blockwise_payload_size;`
`158`		`- uint16_t returned_byte_count = 0;`
	`158`	`+ uint_fast32_t returned_byte_count = 0;`
`159`	`159`
`160`	`160`	`if (!src_coap_msg_ptr) {`
`161`	`161`	`return 0;`
`@@ -176,7 +176,6 @@ uint16_t sn_coap_builder_calc_needed_packet_data_size_2(const sn_coap_hdr_s *src`
`176`	`176`	`tr_error("sn_coap_builder_calc_needed_packet_data_size_2 - token too large!");`
`177`	`177`	`return 0;`
`178`	`178`	`}`
`179`		`-`
`180`	`179`	`returned_byte_count += src_coap_msg_ptr->token_len;`
`181`	`180`	`}`
`182`	`181`	`/* URI PATH - Repeatable option. Length of one option is 0-255 */`
`@@ -198,7 +197,6 @@ uint16_t sn_coap_builder_calc_needed_packet_data_size_2(const sn_coap_hdr_s *src`
`198`	`197`	`tr_error("sn_coap_builder_calc_needed_packet_data_size_2 - content format too large!");`
`199`	`198`	`return 0;`
`200`	`199`	`}`
`201`		`-`
`202`	`200`	`returned_byte_count += sn_coap_builder_options_build_add_uint_option(NULL, src_coap_msg_ptr->content_format, COAP_OPTION_CONTENT_FORMAT, &tempInt);`
`203`	`201`	`}`
`204`	`202`	`/* If options list pointer exists */`
`@@ -212,7 +210,6 @@ uint16_t sn_coap_builder_calc_needed_packet_data_size_2(const sn_coap_hdr_s *src`
`212`	`210`	`tr_error("sn_coap_builder_calc_needed_packet_data_size_2 - accept too large!");`
`213`	`211`	`return 0;`
`214`	`212`	`}`
`215`		`-`
`216`	`213`	`returned_byte_count += sn_coap_builder_options_build_add_uint_option(NULL, src_options_list_ptr->accept, COAP_OPTION_ACCEPT, &tempInt);`
`217`	`214`	`}`
`218`	`215`	`/* MAX AGE - An integer option, omitted for default. Up to 4 bytes */`
`@@ -266,7 +263,6 @@ uint16_t sn_coap_builder_calc_needed_packet_data_size_2(const sn_coap_hdr_s *src`
`266`	`263`	`tr_error("sn_coap_builder_calc_needed_packet_data_size_2 - uri host too large!");`
`267`	`264`	`return 0;`
`268`	`265`	`}`
`269`		`-`
`270`	`266`	`returned_byte_count += src_options_list_ptr->uri_host_len;`
`271`	`267`	`}`
`272`	`268`	`/* LOCATION PATH - Repeatable option. Length of this option is 0-255 bytes*/`
`@@ -359,8 +355,13 @@ uint16_t sn_coap_builder_calc_needed_packet_data_size_2(const sn_coap_hdr_s *src`
`359`	`355`	`}`
`360`	`356`	`returned_byte_count += sn_coap_builder_options_calculate_jump_need(src_coap_msg_ptr);`
`361`	`357`	`}`
`362`		`- return returned_byte_count;`
	`358`	`+ if (returned_byte_count > UINT16_MAX) {`
	`359`	`+ tr_error("sn_coap_builder_calc_needed_packet_data_size_2 - packet data size would overflow!");`
	`360`	`+ return 0;`
	`361`	`+ }`
	`362`	`+ return (uint16_t)returned_byte_count;`
`363`	`363`	`}`
	`364`	`+`
`364`	`365`	`/**`
`365`	`366`	`* \fn static uint8_t sn_coap_builder_options_calculate_jump_need(sn_coap_hdr_s *src_coap_msg_ptr)`
`366`	`367`	`*`