nanocoap: fix server-side option_count overflow

[kaspar030]

Contribution description

nanocoap limits the number of options it parses, but didn't check if that limit was reached when parsing a packet. (See report in #10753).

This PR provides a fix. It also adds a unittest that exposes the flaw.

Fixes #10753.

Testing procedure

Run unittests without uppermost commit. The nanocoap test should crash on native. Run again with topmost commit. Tests should succeed.

Issues/PRs references

See #10753.

[kb2ma]

Just took a first look. The fix looks appropriate. Need to do a little more testing.

In the unit test, how do I know that the printed pointer values indicate a good test? Just that they are close to each other? Is it possible to be more specific? It's odd to print values as part of a unit test. I would think it makes more sense to compare the values within the test, and fail the test if the difference is outside of some range.

[kaspar030]

In the unit test, how do I know that the printed pointer values indicate a good test? Just that they are close to each other? Is it possible to be more specific? It's odd to print values as part of a unit test. I would think it makes more sense to compare the values within the test, and fail the test if the difference is outside of some range.

When I wrote the test, I wasn't sure that it would (without the fix) crash.
The coap options array is the last field in coap_pkt_t. My logic was that if I have pkt on the stack and directly after it another value (guard_value), if coap_parse() exceeded the options array, it would overwrite the guard value. But without getting an address of both of the variables, the compiler might just keep them in registers. Thus the printf...
While writing this I realized that any overflow would go to stack space before (or above) pkt, not after (or below), on all our platforms. So I think the guard_value declaration must be moved before pkt.

Does this make sense at all or does anyone have a better idea on how to detect an overflow of the options array?

[kb2ma]

Sorry, I have no insights. In keeping with the current approach, you could put a guard value on both sides to be safe.

Another approach is to set the maximum number of options (NANOCOAP_NOPTS_MAX) to a small value and try a functional test. That's what I'm working on.

[kb2ma]

You also could craft an array with NANOCOAP_NOPTS_MAX options, parse it, and expect success. Then add another option to it and expect -ENOMEM. That should be sufficient for this test. No need to get into the low level overflow detection.

[kb2ma]

Need to fix option count comparison.

[kb2ma]

It should be OK to include NANOCOAP_NOPTS_MAX options. This test should be moved above addition to the array, probably line 109. The test then should be:

if (option_count == NANOCOAP_NOPTS_MAX) {

[kaspar030]

Yes. The new test seems to be working, it exposed that using "==" here caused to write one behind the options array. So I moved the check to the beginning of the if case.

[kaspar030]

Then add another option to it and expect -ENOMEM. That should be sufficient for this test. No need to get into the low level overflow detection.

I think I found a way. At least on native it works as expected.

[kb2ma]

I agree the verification in coap_parse() is in the right place now. See my suggested alternative unit test in kapar030/#41. We're getting closer...

[kb2ma]

I kind of understand what you are doing to test the overflow. Why are there 42 options in guard data? How does the unit test work? I think it's important for others to understand this without a lot of thought/investigation.

[kaspar030]

I've added some comments.

[kaspar030]

See my suggested alternative unit test in kapar030/#41.

I have cherry-picked the commit. IMO more test code doesn't hurt, even if they test the same thing.

[kb2ma]

I agree it's OK to include both tests since they verify from different directions. These tests run OK for me on native and samr21-xpro. I verified that allowing coap_parse() to write an extra option makes the tests fail.

Thanks for adding the comments in the test. The only remaining question for me is why are there 42 options in guard_data instead of only one or two. When I allowed the parse to overwrite the guard data, I found the overwrite occurred in the first few bytes.

[kaspar030]

The only remaining question for me is why are there 42 options in guard_data instead of only one or two. When I allowed the parse to overwrite the guard data, I found the overwrite occurred in the first few bytes.

@nmeum provided this packet in his original report, and I was lazy enough to take it as-is. The number just needs to be higher than NANOCOAP_NOPT_MAX. (42 seemed to be the right answer after thinking for 7.5 million years.) I've added a note stating that 42 is basically randomly chosen.

[kb2ma]

OK, good enough. ACK, please squash.

[kaspar030]

Thanks @kb2ma!

[jia200x]

@kaspar030 could you provide a backport to the 2018.10 branch?