Summary
Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.
During CoAP header parsing, the CoAP parser reads the extended token length (TKL) field from the received CoAP packet without validating the received packet is large enough to contain the extended token length field.
Details
Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.
Execution trace leading to the vulnerability:
-
The nanocoap.c:L80, function coap_parse_udp receives the UDP payload from the network.
-
At nanocoap.c:L93, it validates that the packet is at least the size of the coap_udp_hdr_t header (4 bytes). However, for UDP CoAP packets with extended token lengths, this check is insufficient.
-
At nanocoap.c:L108, coap_parse_udp calls coap_get_token_len to compute the token length; coap_get_token_len then calls coap_hdr_get_token_len.
-
At nanocoap.h:L830 and nanocoap.h:L832, coap_hdr_get_token_len reads 1–2 bytes beyond the previously validated header. Therefore, if the CoAP stack receives a packet containing only the 4-byte header, these reads go out-of-bounds.
PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
Impact
What kind of vulnerability is it? Who is impacted?
This vulnerability can be triggered by an untrusted packet from an attacker and can cause the system to read uninitialized memory or memory belonging to adjacent objects.
This can cause a crash and lead to denial of service. On safety-critical devices that typically run RIOT-OS, such denial of service can be catastrophic.
pamusuo Reporter
Summary
Short summary of the problem. Make the impact and severity as clear as possible. For example: An unsafe deserialization vulnerability allows any unauthenticated user to execute arbitrary code on the server.
During CoAP header parsing, the CoAP parser reads the extended token length (TKL) field from the received CoAP packet without validating the received packet is large enough to contain the extended token length field.
Details
Give all details on the vulnerability. Pointing to the incriminated source code is very helpful for the maintainer.
Execution trace leading to the vulnerability:
The
nanocoap.c:L80, functioncoap_parse_udpreceives the UDP payload from the network.At
nanocoap.c:L93, it validates that the packet is at least the size of thecoap_udp_hdr_theader (4 bytes). However, for UDP CoAP packets with extended token lengths, this check is insufficient.At
nanocoap.c:L108,coap_parse_udpcallscoap_get_token_lento compute the token length;coap_get_token_lenthen callscoap_hdr_get_token_len.At
nanocoap.h:L830andnanocoap.h:L832,coap_hdr_get_token_lenreads 1–2 bytes beyond the previously validated header. Therefore, if the CoAP stack receives a packet containing only the 4-byte header, these reads go out-of-bounds.PoC
Complete instructions, including specific configuration details, to reproduce the vulnerability.
Impact
What kind of vulnerability is it? Who is impacted?
This vulnerability can be triggered by an untrusted packet from an attacker and can cause the system to read uninitialized memory or memory belonging to adjacent objects.
This can cause a crash and lead to denial of service. On safety-critical devices that typically run RIOT-OS, such denial of service can be catastrophic.