ARMmbed · ristohuhtala · Dec 17, 2019 · Dec 19, 2019
diff --git a/features/frameworks/mbed-coap/CHANGELOG.md b/features/frameworks/mbed-coap/CHANGELOG.md
@@ -1,5 +1,13 @@
 # Change Log
 
+## [v5.1.3](https://github.com/ARMmbed/mbed-coap/releases/tag/v5.1.3)
+
+- Fix potential integer overflow when calculating CoAP data packet size: IOTCLT-3748 CVE-2019-17211 - mbed-coap integer overflow
+- Fix buffer overflow when parsing CoAP message: IOTCLT-3749 CVE-2019-17212 - mbed-coap Buffer overflow
+
+-[Full Changelog](https://github.com/ARMmbed/mbed-coap/compare/v5.1.2...v5.1.3)
+
+
 ## [v5.1.2](https://github.com/ARMmbed/mbed-coap/releases/tag/v5.1.2)
 
 - Compiler warning cleanups.

diff --git a/features/frameworks/mbed-coap/source/sn_coap_builder.c b/features/frameworks/mbed-coap/source/sn_coap_builder.c
@@ -155,7 +155,7 @@ uint16_t sn_coap_builder_calc_needed_packet_data_size(const sn_coap_hdr_s *src_c
 uint16_t sn_coap_builder_calc_needed_packet_data_size_2(const sn_coap_hdr_s *src_coap_msg_ptr, uint16_t blockwise_payload_size)
 {
     (void)blockwise_payload_size;
-    uint16_t returned_byte_count = 0;
+    uint_fast32_t returned_byte_count = 0;
 
     if (!src_coap_msg_ptr) {
         return 0;
@@ -176,7 +176,6 @@ uint16_t sn_coap_builder_calc_needed_packet_data_size_2(const sn_coap_hdr_s *src
                 tr_error("sn_coap_builder_calc_needed_packet_data_size_2 - token too large!");
                 return 0;
             }
-
             returned_byte_count += src_coap_msg_ptr->token_len;
         }
         /* URI PATH - Repeatable option. Length of one option is 0-255 */
@@ -198,7 +197,6 @@ uint16_t sn_coap_builder_calc_needed_packet_data_size_2(const sn_coap_hdr_s *src
                 tr_error("sn_coap_builder_calc_needed_packet_data_size_2 - content format too large!");
                 return 0;
             }
-
             returned_byte_count += sn_coap_builder_options_build_add_uint_option(NULL, src_coap_msg_ptr->content_format, COAP_OPTION_CONTENT_FORMAT, &tempInt);
         }
         /* If options list pointer exists */
@@ -212,7 +210,6 @@ uint16_t sn_coap_builder_calc_needed_packet_data_size_2(const sn_coap_hdr_s *src
                     tr_error("sn_coap_builder_calc_needed_packet_data_size_2 - accept too large!");
                     return 0;
                 }
-
                 returned_byte_count += sn_coap_builder_options_build_add_uint_option(NULL, src_options_list_ptr->accept, COAP_OPTION_ACCEPT, &tempInt);
             }
             /* MAX AGE - An integer option, omitted for default. Up to 4 bytes */
@@ -266,7 +263,6 @@ uint16_t sn_coap_builder_calc_needed_packet_data_size_2(const sn_coap_hdr_s *src
                     tr_error("sn_coap_builder_calc_needed_packet_data_size_2 - uri host too large!");
                     return 0;
                 }
-
                 returned_byte_count += src_options_list_ptr->uri_host_len;
             }
             /* LOCATION PATH - Repeatable option. Length of this option is 0-255 bytes*/
@@ -359,8 +355,13 @@ uint16_t sn_coap_builder_calc_needed_packet_data_size_2(const sn_coap_hdr_s *src
         }
         returned_byte_count += sn_coap_builder_options_calculate_jump_need(src_coap_msg_ptr);
     }
-    return returned_byte_count;
+    if (returned_byte_count > UINT16_MAX) {
+        tr_error("sn_coap_builder_calc_needed_packet_data_size_2 - packet data size would overflow!");
+        return 0;
+    }
+    return (uint16_t)returned_byte_count;
 }
+
 /**
  * \fn static uint8_t sn_coap_builder_options_calculate_jump_need(sn_coap_hdr_s *src_coap_msg_ptr)
  *

diff --git a/features/frameworks/mbed-coap/source/sn_coap_parser.c b/features/frameworks/mbed-coap/source/sn_coap_parser.c
@@ -310,16 +310,30 @@ static int8_t sn_coap_parser_options_parse(struct coap_s *handle, uint8_t **pack
             option_number = *(*packet_data_pptr + 1) + 13;
             (*packet_data_pptr)++;
         } else if (option_number == 14) {
-            option_number = *(*packet_data_pptr + 2);
-            option_number += (*(*packet_data_pptr + 1) << 8) + 269;
-            (*packet_data_pptr) += 2;
+            if ( message_left>= 2){
+                option_number = *(*packet_data_pptr + 2);
+                option_number += (*(*packet_data_pptr + 1) << 8) + 269;
+                (*packet_data_pptr) += 2;
+            } else {
+                /* packet_data_pptr would overflow! */
+                tr_error("sn_coap_parser_options_parse - **packet_data_pptr overflow !");
+                return -1;
+            }            
         }
         /* Option number 15 reserved for payload marker. This is handled as a error! */
         else if (option_number == 15) {
             tr_error("sn_coap_parser_options_parse - invalid option number(15)!");
             return -1;
         }
 
+        message_left = packet_len - ((*packet_data_pptr) - packet_data_start_ptr);
+
+        if (message_left == 0){
+            /* packet_data_pptr would overflow! */
+            tr_error("sn_coap_parser_options_parse - **packet_data_pptr overflow !");
+            return -1;
+        }
+
         /* Add previous option to option delta and get option number */
         option_number += previous_option_number;
 
@@ -328,9 +342,15 @@ static int8_t sn_coap_parser_options_parse(struct coap_s *handle, uint8_t **pack
             option_len = *(*packet_data_pptr + 1) + 13;
             (*packet_data_pptr)++;
         } else if (option_len == 14) {
-            option_len = *(*packet_data_pptr + 2);
-            option_len += (*(*packet_data_pptr + 1) << 8) + 269;
-            (*packet_data_pptr) += 2;
+            if ( message_left>= 2){
+                option_len = *(*packet_data_pptr + 2);
+                option_len += (*(*packet_data_pptr + 1) << 8) + 269;
+                (*packet_data_pptr) += 2;
+            } else {
+                /* packet_data_pptr would overflow! */
+                tr_error("sn_coap_parser_options_parse - **packet_data_pptr overflow while resolving option length!");
+                return -1;
+            }            
         }
         /* Option number length 15 is reserved for the future use - ERROR */
         else if (option_len == 15) {
@@ -340,6 +360,8 @@ static int8_t sn_coap_parser_options_parse(struct coap_s *handle, uint8_t **pack
 
         message_left = packet_len - (*packet_data_pptr - packet_data_start_ptr);
 
+
+
         /* * * Parse option itself * * */
         /* Some options are handled independently in own functions */
         previous_option_number = option_number;
@@ -366,6 +388,12 @@ static int8_t sn_coap_parser_options_parse(struct coap_s *handle, uint8_t **pack
                 break;
         }
 
+        if (message_left < option_len){
+            /* packet_data_pptr would overflow! */
+            tr_error("sn_coap_parser_options_parse - **packet_data_pptr would overflow when parsing options!");
+            return -1;
+        }
+
         /* Parse option */
         switch (option_number) {
             case COAP_OPTION_CONTENT_FORMAT:
@@ -400,9 +428,7 @@ static int8_t sn_coap_parser_options_parse(struct coap_s *handle, uint8_t **pack
                     tr_error("sn_coap_parser_options_parse - COAP_OPTION_PROXY_URI allocation failed!");
                     return -1;
                 }
-
                 (*packet_data_pptr) += option_len;
-
                 break;
 
             case COAP_OPTION_ETAG:
@@ -581,11 +607,9 @@ static int8_t sn_coap_parser_options_parse(struct coap_s *handle, uint8_t **pack
         if ((*packet_data_pptr - packet_data_start_ptr) > packet_len) {
             return -1;
         }
-
         message_left = packet_len - (*packet_data_pptr - packet_data_start_ptr);
 
     }
-
     return 0;
 }