Merge pull request #12147 from ristohuhtala/mbed-coap-builder-uint-overflow

mbed-coap uint16 overflow fix
pull/12183/head
Martin Kojtal 2020-01-02 13:51:14 +00:00 committed by GitHub
commit de798c4f37
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 15 additions and 6 deletions

View File

@ -1,5 +1,13 @@
# Change Log
## [v5.1.3](https://github.com/ARMmbed/mbed-coap/releases/tag/v5.1.3)
- Fix potential integer overflow when calculating CoAP data packet size: IOTCLT-3748 CVE-2019-17211 - mbed-coap integer overflow
- Fix buffer overflow when parsing CoAP message: IOTCLT-3749 CVE-2019-17212 - mbed-coap Buffer overflow
-[Full Changelog](https://github.com/ARMmbed/mbed-coap/compare/v5.1.2...v5.1.3)
## [v5.1.2](https://github.com/ARMmbed/mbed-coap/releases/tag/v5.1.2)
- Compiler warning cleanups.

View File

@ -155,7 +155,7 @@ uint16_t sn_coap_builder_calc_needed_packet_data_size(const sn_coap_hdr_s *src_c
uint16_t sn_coap_builder_calc_needed_packet_data_size_2(const sn_coap_hdr_s *src_coap_msg_ptr, uint16_t blockwise_payload_size)
{
(void)blockwise_payload_size;
uint16_t returned_byte_count = 0;
uint_fast32_t returned_byte_count = 0;
if (!src_coap_msg_ptr) {
return 0;
@ -176,7 +176,6 @@ uint16_t sn_coap_builder_calc_needed_packet_data_size_2(const sn_coap_hdr_s *src
tr_error("sn_coap_builder_calc_needed_packet_data_size_2 - token too large!");
return 0;
}
returned_byte_count += src_coap_msg_ptr->token_len;
}
/* URI PATH - Repeatable option. Length of one option is 0-255 */
@ -198,7 +197,6 @@ uint16_t sn_coap_builder_calc_needed_packet_data_size_2(const sn_coap_hdr_s *src
tr_error("sn_coap_builder_calc_needed_packet_data_size_2 - content format too large!");
return 0;
}
returned_byte_count += sn_coap_builder_options_build_add_uint_option(NULL, src_coap_msg_ptr->content_format, COAP_OPTION_CONTENT_FORMAT, &tempInt);
}
/* If options list pointer exists */
@ -212,7 +210,6 @@ uint16_t sn_coap_builder_calc_needed_packet_data_size_2(const sn_coap_hdr_s *src
tr_error("sn_coap_builder_calc_needed_packet_data_size_2 - accept too large!");
return 0;
}
returned_byte_count += sn_coap_builder_options_build_add_uint_option(NULL, src_options_list_ptr->accept, COAP_OPTION_ACCEPT, &tempInt);
}
/* MAX AGE - An integer option, omitted for default. Up to 4 bytes */
@ -266,7 +263,6 @@ uint16_t sn_coap_builder_calc_needed_packet_data_size_2(const sn_coap_hdr_s *src
tr_error("sn_coap_builder_calc_needed_packet_data_size_2 - uri host too large!");
return 0;
}
returned_byte_count += src_options_list_ptr->uri_host_len;
}
/* LOCATION PATH - Repeatable option. Length of this option is 0-255 bytes*/
@ -359,8 +355,13 @@ uint16_t sn_coap_builder_calc_needed_packet_data_size_2(const sn_coap_hdr_s *src
}
returned_byte_count += sn_coap_builder_options_calculate_jump_need(src_coap_msg_ptr);
}
return returned_byte_count;
if (returned_byte_count > UINT16_MAX) {
tr_error("sn_coap_builder_calc_needed_packet_data_size_2 - packet data size would overflow!");
return 0;
}
return (uint16_t)returned_byte_count;
}
/**
* \fn static uint8_t sn_coap_builder_options_calculate_jump_need(sn_coap_hdr_s *src_coap_msg_ptr)
*