From 0fa04a3d57a460af5ddca4b5a3c6d8341dc9be00 Mon Sep 17 00:00:00 2001 From: Benjamin Valentin Date: Thu, 19 Oct 2023 14:00:03 +0200 Subject: [PATCH] nanocoap: prevent integer underflow in coap_opt_put_uri_pathquery() If uri contains no path but only a query "?foo=bar" `len` would underflow. Fix this by detecting if there is no path. Reported by @Yu3H0 --- sys/net/application_layer/nanocoap/nanocoap.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/sys/net/application_layer/nanocoap/nanocoap.c b/sys/net/application_layer/nanocoap/nanocoap.c index b5a6518979..a058ae1232 100644 --- a/sys/net/application_layer/nanocoap/nanocoap.c +++ b/sys/net/application_layer/nanocoap/nanocoap.c @@ -902,8 +902,15 @@ size_t coap_opt_put_string_with_len(uint8_t *buf, uint16_t lastonum, uint16_t op size_t coap_opt_put_uri_pathquery(uint8_t *buf, uint16_t *lastonum, const char *uri) { + size_t len; const char *query = strchr(uri, '?'); - size_t len = query ? (size_t)(query - uri - 1) : strlen(uri); + + if (query) { + len = (query == uri) ? 0 : (query - uri - 1); + } else { + len = strlen(uri); + } + size_t bytes_out = coap_opt_put_string_with_len(buf, *lastonum, COAP_OPT_URI_PATH, uri, len, '/');