michaelh/zephyr
1
0
Fork 0
Code Releases Activity

net: coap: Fix possible overflow

Browse source 
Fix possible integer overflow when parsing a CoAP packet.

Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
This commit is contained in:
Flavio Ceolin 2020-04-16 22:51:04 -07:00 committed by Jukka Rissanen
commit e6204a982e
1 changed files with 15 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

20
subsys/net/lib/coap/coap.c
View file

@ -17,6 +17,7 @@ LOG_MODULE_REGISTER(net_coap, CONFIG_COAP_LOG_LEVEL);
#include <zephyr/types.h>
#include <sys/byteorder.h>
#include <sys/math_extras.h>
#include <net/net_ip.h>
#include <net/net_core.h>
@ -469,7 +470,9 @@ static int parse_option(u8_t *data, u16_t offset, u16_t *pos,
return -EINVAL;
}
*opt_len += hdr_len;
if (u16_add_overflow(*opt_len, hdr_len, opt_len)) {
return -EINVAL;
}
}
if (len > COAP_OPTION_NO_EXT) {
@ -480,11 +483,15 @@ static int parse_option(u8_t *data, u16_t offset, u16_t *pos,
return -EINVAL;
}
*opt_len += hdr_len;
if (u16_add_overflow(*opt_len, hdr_len, opt_len)) {
return -EINVAL;
}
}
*opt_delta += delta;
*opt_len += len;
if (u16_add_overflow(*opt_delta, delta, opt_delta) ||
u16_add_overflow(*opt_len, len, opt_len)) {
return -EINVAL;
}
if (r == 0) {
if (len == 0U) {
@ -519,7 +526,10 @@ static int parse_option(u8_t *data, u16_t offset, u16_t *pos,
return -EINVAL;
}
} else {
*pos += len;
if (u16_add_overflow(*pos, len, pos)) {
return -EINVAL;
}
r = max_len - *pos;
}