Allele Security Alert
Memory access out of range in library parser part
Arm Mbed OS CoAP
Arm Mbed OS version 5.13.2
Proof of concept
Buffer overflows were discovered in the CoAP library in Arm Mbed OS.
The CoAP parser is responsible for parsing received CoAP packets. The function sn_coap_parser_options_parse() parses CoAP input linearly using a while loop. Once an option is parsed in a loop, the current point (*packet_data_pptr) is increased correspondingly. The pointer is restricted by the size of the received buffer, as well as by the 0xFF delimiter byte. Inside each while loop, the check of the value of *packet_data_pptr is not strictly enforced. More specifically, inside a loop, *packet_data_pptr could be increased and then dereferenced without checking. Moreover, there are many other functions in the format of sn_coap_parser_****() that do not check whether the pointer is within the bounds of the allocated buffer. All of these lead to heap-based or stack-based buffer overflows, depending on how the CoAP packet buffer is allocated.
memory acess out of range in MbedOS CoAP library parser part
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: December 10, 2019