Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

gcoap: Avoid reading beyond defined input buffer #20549

Merged
merged 2 commits into from
Jul 30, 2024
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
14 changes: 13 additions & 1 deletion sys/net/application_layer/gcoap/gcoap.c
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@
#define NO_IMMEDIATE_REPLY (-1)

/* End of the range to pick a random timeout */
#define TIMEOUT_RANGE_END ((uint32_t)CONFIG_COAP_ACK_TIMEOUT_MS * CONFIG_COAP_RANDOM_FACTOR_1000 / 1000)

Check warning on line 53 in sys/net/application_layer/gcoap/gcoap.c

View workflow job for this annotation

GitHub Actions / static-tests

line is longer than 100 characters

/* Internal functions */
static void *_event_loop(void *arg);
Expand Down Expand Up @@ -1657,20 +1657,32 @@
ssize_t res = _cache_check(buf, len, memo, &cache_hit);

if (res < 0) {
DEBUG("gcoap: Error from cache check");
memo->state = GCOAP_MEMO_UNUSED;
mutex_unlock(&_coap_state.lock);
return res;
}
len = res;
}

switch (msg_type) {
case COAP_TYPE_CON:
/* Can't store it for retransmission, even though sending it from
* the provided buffer once is possible */
if (len > CONFIG_GCOAP_PDU_BUF_SIZE) {
DEBUG("gcoap: Request too large for retransmit buffer");
memo->state = GCOAP_MEMO_UNUSED;
mutex_unlock(&_coap_state.lock);
return -EINVAL;
}

/* copy buf to resend_bufs record */
memo->msg.data.pdu_buf = NULL;
for (int i = 0; i < CONFIG_GCOAP_RESEND_BUFS_MAX; i++) {
if (!_coap_state.resend_bufs[i][0]) {
memo->msg.data.pdu_buf = &_coap_state.resend_bufs[i][0];
memcpy(memo->msg.data.pdu_buf, buf,
CONFIG_GCOAP_PDU_BUF_SIZE);
len);
memo->msg.data.pdu_len = len;
break;
}
Expand Down
Loading