-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gcoap: Avoid reading beyond defined input buffer #20549
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me. Could you help me to asses whether this has an high impact? Can this still be part of the upcoming release or should it be postponed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the impact is low either way. There's the chance that I did miss some security implication, in which case it'd be good to have it in. I don't expect any breakage, but same there, could be wrong. In total, I think it's a toss-up.
Just a reminder. I think this is only stalling because the |
Thanks for the ping, squashed. As there are unrelated errors popping up, I'm rebasing onto master. |
Although it is probably within the bounds of some case COAP_TYPE_NON:
memo->send_limit = GCOAP_SEND_LIMIT_NON;
memcpy(&memo->msg.hdr_buf[0], buf, GCOAP_HEADER_MAXLEN);
timeout = CONFIG_GCOAP_NON_TIMEOUT_MSEC;
break; a |
Any reason not to press the merge button on this? |
Contribution description
GCoAP contains a memcopy that reads beyond the bounds of the input.
This is likely not a security issue, but it does trip up ASAN (even in cases when there are otherwise no ill-effects), and it will let an error go unnoticed when trying to send too large a buffer and only copying out a portion of it.
Previously, the full retransmit buffer size was read from the source buffer and stored in the retransmit buffer. (The original length was still stored, so no other read would happen on the extraneously copied data).
I don't consider this a security issue because while there would reads to unwritten memory on retransmissions, any application that actually has its buffers and request content set up in such a way that this happens would already suffer visible breakage due to "garbage" (secrets, in the unlikely case that they are stored right behind the buffer) being retransmitted.
A second commit avoids leaking memos and the lock in two error cases (the new one and the one where I took justification for a plain return from).
Testing procedure
Previously, this would have caused an ASAN abort; now, it merely reports whatever is in the RD (probably -4 for "nothing", or a timeout if you don't have aiocoap-rd running).
Issues/PRs references