From d4aa8aad10e58b927c4284d47dc4759d18ad7e31 Mon Sep 17 00:00:00 2001
From: Benjamin Valentin <benjamin.valentin@ml-pa.com>
Date: Tue, 11 Aug 2020 14:50:37 +0200
Subject: [PATCH] nanocoap: validate input with NDEBUG

A malformed or malicious CoAP request may contain invalid field lengths.
`nanocoap` protects with this by using `assert()`, which safely crashes
the application in debug mode.

In release mode the check is removed.

Instead of allowing arbitrary memory writes, return 0 on invalid inputs.

Discovered by [Coverity](https://scan3.coverity.com/reports.htm#v46910/p10250/fileInstanceId=38357789&defectInstanceId=9793779&mergedDefectId=297306)
---
 sys/net/application_layer/nanocoap/nanocoap.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/sys/net/application_layer/nanocoap/nanocoap.c b/sys/net/application_layer/nanocoap/nanocoap.c
index f375666e3a..6e076e4d06 100644
--- a/sys/net/application_layer/nanocoap/nanocoap.c
+++ b/sys/net/application_layer/nanocoap/nanocoap.c
@@ -377,6 +377,11 @@ int coap_get_blockopt(coap_pkt_t *pkt, uint16_t option, uint32_t *blknum, unsign
         return -1;
     }
 
+    if (option_len > 4) {
+        DEBUG("nanocoap: invalid option length\n");
+        return -1;
+    }
+
     uint32_t blkopt = _decode_uint(data_start, option_len);
 
     DEBUG("nanocoap: blkopt len: %i\n", option_len);