CVE-2019-17212

Buffer overflows were discovered in the CoAP library in Arm Mbed OS 5.14.0. The CoAP parser is responsible for parsing received CoAP packets. The function sn_coap_parser_options_parse() parses CoAP input linearly using a while loop. Once an option is parsed in a loop, the current point (*packet_data_pptr) is increased correspondingly. The pointer is restricted by the size of the received buffer, as well as by the 0xFF delimiter byte. Inside each while loop, the check of the value of *packet_data_pptr is not strictly enforced. More specifically, inside a loop, *packet_data_pptr could be increased and then dereferenced without checking. Moreover, there are many other functions in the format of sn_coap_parser_****() that do not check whether the pointer is within the bounds of the allocated buffer. All of these lead to heap-based or stack-based buffer overflows, depending on how the CoAP packet buffer is allocated.

Buffer overflows were discovered in the CoAP library in Arm Mbed OS 5.14.0. The CoAP parser is responsible for parsing received CoAP packets. The function sn_coap_parser_options_parse() parses CoAP input linearly using a while loop. Once an option is parsed in a loop, the current point (*packet_data_pptr) is increased correspondingly. The pointer is restricted by the size of the received buffer, as well as by the 0xFF delimiter byte. Inside each while loop, the check of the value of *packet_data_pptr is not strictly enforced. More specifically, inside a loop, *packet_data_pptr could be increased and then dereferenced without checking. Moreover, there are many other functions in the format of sn_coap_parser_****() that do not check whether the pointer is within the bounds of the allocated buffer. All of these lead to heap-based or stack-based buffer overflows, depending on how the CoAP packet buffer is allocated.

Fueron detectados desbordamientos de búfer en la biblioteca CoAP en Arm Mbed OS versión 5.14.0. El analizador de CoAP es responsable de analizar los paquetes CoAP recibidos. La función sn_coap_parser_options_parse() analiza la entrada CoAP linealmente usando un bucle while. Una vez que una opción es analizada en un bucle, el punto actual (*packet_data_pptr) es incrementado correspondientemente. El puntero está restringido por el tamaño del búfer recibido, así como por el byte delimitador 0xFF. Dentro de cada bucle while, la comprobación del valor de *packet_data_pptr no se aplica estrictamente. Más específicamente, dentro de un bucle, *packet_data_pptr podría ser aumentada y luego desreferenciarse sin comprobar. Además, existen muchas otras funciones en el formato de sn_coap_parser que no comprueban si el puntero está dentro de los límites del búfer asignado. Todo esto conduce a desbordamientos de búfer en la región heap de la memoria o en la región stack de la memoria, dependiendo de cómo sea asignado el búfer de paquetes CoAP.