er-coap - memory corruption in coap_parse_int_option (SIGSEGV) #2238
Description
Parsing the following coap message results in a crash of contiki:
coap message hexdump:
00000000 51 51 51 00 80 51 51 51 51 4e 51 51 51 51 51 51 |QQQ..QQQQNQQQQQQ|
00000010 51 f5 06 |Q..|
00000013
How to reproduce:
static coap_packet_t message[1];
uint8_t teststr[] = { 0x51, 0x51, 0x51, 0x00, 0x80, 0x51, 0x51, 0x51, 0x51, 0x4e, 0x51, 0x51, 0x51, 0x51, 0x51, 0x51 };
coap_parse_message(message, (unsigned char *)teststr, sizeof(teststr));gdb:
Program received signal SIGSEGV, Segmentation fault.
0x0000000000414f43 in coap_parse_int_option (bytes=0x7fffffffc27c "QQQQQ\365\006", length=21086) at ../../apps/er-coap/er-coap.c:92
92 var |= bytes[i++];
(gdb) bt
#0 0x0000000000414f43 in coap_parse_int_option (bytes=0x7fffffffc27c "QQQQQ\365\006", length=21086) at ../../apps/er-coap/er-coap.c:92
#1 0x000000000041462b in coap_parse_message (packet=0x63a240 <message>, data=0x7fffffffc270 "QQQ", data_len=19) at ../../apps/er-coap/er-coap.c:546
#2 0x0000000000407788 in process_thread_er_example_client (process_pt=0x639198 <er_example_client+24>, ev=<optimized out>, data=<optimized out>) at er-example-client.c:115
#3 0x000000000041bde8 in call_process (p=0x639180 <er_example_client>, ev=129 '\201', data=0x0) at ../../core/sys/process.c:190
#4 0x000000000041b7f5 in process_post_synch (p=0x639180 <er_example_client>, ev=129 '\201', data=0x0) at ../../core/sys/process.c:366
#5 0x000000000041b7b3 in process_start (p=0x639180 <er_example_client>, data=0x0) at ../../core/sys/process.c:120
#6 0x000000000041aaeb in autostart_start (processes=0x430500 <autostart_processes>) at ../../core/sys/autostart.c:57
#7 0x000000000041a161 in main (argc=1, argv=0x7fffffffe568) at ../../platform/native/./contiki-main.c:247
valgrind:
==16577== Invalid read of size 1
==16577== at 0x414F43: coap_parse_int_option (er-coap.c:92)
==16577== by 0x41462A: coap_parse_message (er-coap.c:546)
==16577== by 0x407787: process_thread_er_example_client (er-example-client.c:115)
==16577== by 0x41BDE7: call_process (process.c:190)
==16577== by 0x41B7F4: process_post_synch (process.c:366)
==16577== by 0x41B7B2: process_start (process.c:120)
==16577== by 0x41AAEA: autostart_start (autostart.c:57)
==16577== by 0x41A160: main (contiki-main.c:247)
==16577== Address 0xfff001000 is not stack'd, malloc'd or (recently) free'd
==16577==
==16577==
==16577== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==16577== Access not within mapped region at address 0xFFF001000
==16577== at 0x414F43: coap_parse_int_option (er-coap.c:92)
==16577== by 0x41462A: coap_parse_message (er-coap.c:546)
==16577== by 0x407787: process_thread_er_example_client (er-example-client.c:115)
==16577== by 0x41BDE7: call_process (process.c:190)
==16577== by 0x41B7F4: process_post_synch (process.c:366)
==16577== by 0x41B7B2: process_start (process.c:120)
==16577== by 0x41AAEA: autostart_start (autostart.c:57)
==16577== by 0x41A160: main (contiki-main.c:247)
==16577== If you believe this happened as a result of a stack
==16577== overflow in your program's main thread (unlikely but
==16577== possible), you can try to increase the size of the
==16577== main thread stack using the --main-stacksize= flag.
==16577== The main thread stack size used in this run was 8388608.
OPTION 14 (delta 4, len 21086): ==16577==
==16577== HEAP SUMMARY:
==16577== in use at exit: 0 bytes in 0 blocks
==16577== total heap usage: 1 allocs, 1 frees, 1,024 bytes allocated
==16577==
==16577== All heap blocks were freed -- no leaks are possible
==16577==
==16577== For counts of detected and suppressed errors, rerun with: -v
==16577== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
The crash has been found with afl-fuzz.
Best Regards,
Stephan Zeisberg