michaelh/zephyr
1
0
Fork 0
Code Releases Activity

net: coap: Fix possible overflow

Browse source 
Fix possible integer overflow when parsing a CoAP packet.

Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
This commit is contained in:
Flavio Ceolin 2020-04-16 22:51:04 -07:00 committed by Jukka Rissanen
commit e6204a982e
1 changed files with 15 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

20
subsys/net/lib/coap/coap.c
View file

@ -17,6 +17,7 @@ LOG_MODULE_REGISTER(net_coap, CONFIG_COAP_LOG_LEVEL);
#include <zephyr/types.h> #include <zephyr/types.h>
#include <sys/byteorder.h> #include <sys/byteorder.h>
#include <sys/math_extras.h>
#include <net/net_ip.h> #include <net/net_ip.h>
#include <net/net_core.h> #include <net/net_core.h>
@ -469,7 +470,9 @@ static int parse_option(u8_t *data, u16_t offset, u16_t *pos,
return -EINVAL; return -EINVAL;
} }
*opt_len += hdr_len; if (u16_add_overflow(*opt_len, hdr_len, opt_len)) {
return -EINVAL;
}
} }
if (len > COAP_OPTION_NO_EXT) { if (len > COAP_OPTION_NO_EXT) {
@ -480,11 +483,15 @@ static int parse_option(u8_t *data, u16_t offset, u16_t *pos,
return -EINVAL; return -EINVAL;
} }
*opt_len += hdr_len; if (u16_add_overflow(*opt_len, hdr_len, opt_len)) {
return -EINVAL;
}
} }
*opt_delta += delta; if (u16_add_overflow(*opt_delta, delta, opt_delta) ||
*opt_len += len; u16_add_overflow(*opt_len, len, opt_len)) {
return -EINVAL;
}
if (r == 0) { if (r == 0) {
if (len == 0U) { if (len == 0U) {
@ -519,7 +526,10 @@ static int parse_option(u8_t *data, u16_t offset, u16_t *pos,
return -EINVAL; return -EINVAL;
} }
} else { } else {
*pos += len; if (u16_add_overflow(*pos, len, pos)) {
return -EINVAL;
}
r = max_len - *pos; r = max_len - *pos;
} }