Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gcoap: Avoid reading beyond defined input buffer #20549

Merged
merged 2 commits into from
Jul 30, 2024

Conversation

chrysn
Copy link
Member

@chrysn chrysn commented Apr 6, 2024

Contribution description

GCoAP contains a memcopy that reads beyond the bounds of the input.

This is likely not a security issue, but it does trip up ASAN (even in cases when there are otherwise no ill-effects), and it will let an error go unnoticed when trying to send too large a buffer and only copying out a portion of it.

Previously, the full retransmit buffer size was read from the source buffer and stored in the retransmit buffer. (The original length was still stored, so no other read would happen on the extraneously copied data).

I don't consider this a security issue because while there would reads to unwritten memory on retransmissions, any application that actually has its buffers and request content set up in such a way that this happens would already suffer visible breakage due to "garbage" (secrets, in the unlikely case that they are stored right behind the buffer) being retransmitted.

A second commit avoids leaking memos and the lock in two error cases (the new one and the one where I took justification for a plain return from).

Testing procedure

  • (if you like to see a result fast, run aiocoap's aiocoap-rd and substitute your local address below -- but the ASAN error happens as well without the running server)
  • run cord_lc example with
$ make all-asan
$ ./examples/cord_lc/bin/native/cord_lc.elf tap0
> cord_lc [fe80::f30:40e4:6c93:e17d]:5683 resource

Previously, this would have caused an ASAN abort; now, it merely reports whatever is in the RD (probably -4 for "nothing", or a timeout if you don't have aiocoap-rd running).

Issues/PRs references

  • TBD: Why did this not get noticed earlier? Our native tests should be run with asan builds ... or it should even be on-by-default.

@github-actions github-actions bot added Area: network Area: Networking Area: CoAP Area: Constrained Application Protocol implementations Area: sys Area: System labels Apr 6, 2024
@chrysn chrysn added the CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR label Apr 6, 2024
@riot-ci
Copy link

riot-ci commented Apr 6, 2024

Murdock results

✔️ PASSED

2f7cbd3 gcoap: Avoid lockup from error paths

Success Failures Total Runtime
10082 0 10083 14m:43s

Artifacts

Copy link
Contributor

@Teufelchen1 Teufelchen1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me. Could you help me to asses whether this has an high impact? Can this still be part of the upcoming release or should it be postponed?

sys/net/application_layer/gcoap/gcoap.c Outdated Show resolved Hide resolved
Copy link
Member Author

@chrysn chrysn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the impact is low either way. There's the chance that I did miss some security implication, in which case it'd be good to have it in. I don't expect any breakage, but same there, could be wrong. In total, I think it's a toss-up.

@fabian18
Copy link
Contributor

Just a reminder. I think this is only stalling because the fixup commit must be squashed.

@chrysn
Copy link
Member Author

chrysn commented Apr 24, 2024

Thanks for the ping, squashed. As there are unrelated errors popping up, I'm rebasing onto master.

@fabian18
Copy link
Contributor

Although it is probably within the bounds of some static buffer where buf points to, I just saw a couple of lines below for the NON case technically we might also read beyond input bytes if no token or a token less that 8 bytes is used:

        case COAP_TYPE_NON:
            memo->send_limit = GCOAP_SEND_LIMIT_NON;
            memcpy(&memo->msg.hdr_buf[0], buf, GCOAP_HEADER_MAXLEN);
            timeout = CONFIG_GCOAP_NON_TIMEOUT_MSEC;
            break;

a MIN(len, GCOAP_HEADER_MAXLEN) would probably fix it.

@Teufelchen1 Teufelchen1 added CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR and removed CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR labels May 7, 2024
@benpicco
Copy link
Contributor

Any reason not to press the merge button on this?

@Teufelchen1 Teufelchen1 added this pull request to the merge queue Jul 30, 2024
Merged via the queue into RIOT-OS:master with commit 1e6164f Jul 30, 2024
27 checks passed
@benpicco benpicco added this to the Release 2024.10 milestone Nov 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Area: CoAP Area: Constrained Application Protocol implementations Area: network Area: Networking Area: sys Area: System CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants