RIOT-OS/RIOT
RIOT-OS/RIOT
1
0
Fork 0
mirror of https://github.com/RIOT-OS/RIOT.git synced 2024-12-29 04:50:03 +01:00
Code Releases Activity

nanocoap: always write at least 1 byte in coap_block2_finish()

Browse Source 
The CoAP block option gets written twice:
First a 'dummy' value is written by `coap_opt_add_block2()`, later this gets
overwritten by the real option value by coap_block2_finish().

The problem arises when the size of the option changes.
If the option ends up smaller than the dummy, we have garbage bytes after the
real option value, corrupting the packet.

To mitigate this, always write at least one option byte (which will be a 0 byte)
to ensure the dummy data is overwritten.

fixes #20686
This commit is contained in:
Benjamin Valentin 2024-09-07 16:08:01 +02:00
parent ed9faa9f06
commit 66fe083d9b
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
sys/net/application_layer/nanocoap/nanocoap.c
View File

@ -1339,6 +1339,11 @@ bool coap_block_finish(coap_block_slicer_t *slicer, uint16_t option)
uint32_t blkopt = _slicer2blkopt(slicer, more);
size_t olen = _encode_uint(&blkopt);
/* ensure that we overwrite the dummy value set by coap_block2_init() */
if (!olen) {
olen = 1;
}
coap_put_option(slicer->opt, option - delta, option, (uint8_t *)&blkopt, olen);
return more;
}