Skip to content

sys/net/nanocoap: fix buffer overflow in separate response handling #21075

Merged
maribu merged 5 commits intoRIOT-OS:masterfrom
maribu:sys/net/nanocoap/buffer-overflow-separate-response
Dec 13, 2024
Merged

sys/net/nanocoap: fix buffer overflow in separate response handling #21075
maribu merged 5 commits intoRIOT-OS:masterfrom
maribu:sys/net/nanocoap/buffer-overflow-separate-response

Conversation

@maribu
Copy link
Copy Markdown
Member

@maribu maribu commented Dec 11, 2024

Contribution description

When RFC 8974 support (module nanocoap_token_ext) is in use, the request token may be longer than the buffer in the separate response context is large. This adds a check to not overflow the buffer.

Sadly, this is an API change: Preparing the separate response context can actually fail, so we need to report this with a return value.

The example application has been adapted to only proceed if the separate reply context could have been prepared, and rather directly emit a reset message if the token exceeds the static buffer.

Testing procedure

A second commit has been sneaked in to add the client_token shell command to tests/net/nanocoap_cli that allow specifying the Token as hex. The most recently set token is used in client.

Preparation

$  sudo ./dist/tools/tapsetup/tapsetup

Running the Server

This should be done with master and this PR

$ USEMODULE=nanocoap_token_ext make BOARD=native64 -C examples/nanocoap_server && examples/nanocoap_server/bin/native64/nanocoap_server.elf -w tap1
[...]
main(): This is RIOT! (Version: 2025.01-devel-261-g75828)
RIOT nanocoap example application
Waiting for address autoconfiguration...
{"IPv6 addresses": ["<IPV6_ADDR>"]}

copy the <IPV6_ADDR> part of the output

Running the Client

This should be done with this PR only (or cherry-picking the second commit onto master).

$ USEMODULE=nanocoap_token_ext make BOARD=native64 -C tests/net/nanocoap_cli flash term
[...]
2024-12-11 18:10:58,750 # RIOT native interrupts/signals initialized.
2024-12-11 18:10:58,751 # RIOT native board initialized.
2024-12-11 18:10:58,751 # RIOT native hardware initialization complete.
2024-12-11 18:10:58,751 # 
2024-12-11 18:10:58,752 # main(): This is RIOT! (Version: 2025.01-devel-262-g562036-sys/net/nanocoap/buffer-overflow-separate-response)
2024-12-11 18:10:58,752 # nanocoap test app
2024-12-11 18:10:58,752 # All up, running the shell now
> client_token deadbeefdeadbeefdeadbeef
2024-12-11 18:12:11,060 # client_token deadbeefdeadbeefdeadbeef
> client get fe80::24de:d0ff:fe85:bdb2 5683 /separate
2024-12-11 18:12:27,736 # client get fe80::24de:d0ff:fe85:bdb2 5683 /separate
2024-12-11 18:12:27,736 # nanocli: sending msg ID 1, 25 bytes
2024-12-11 18:13:45,417 # nanocli: msg send failed: -110

Output

On master, this will result in

RIOT native interrupts/signals initialized.
RIOT native board initialized.
RIOT native hardware initialization complete.

main(): This is RIOT! (Version: 2025.01-devel-261-g75828)
RIOT nanocoap example application
Waiting for address autoconfiguration...
{"IPv6 addresses": ["fe80::24de:d0ff:fe85:bdb2"]}
_separate_handler(): send ACK, schedule response
_separate_handler(): send delayed response
*** stack smashing detected ***: terminated
[1]    367561 IOT instruction (core dumped)  examples/nanocoap_server/bin/native64/nanocoap_server.elf -w tap1

With this PR, a RST message is replied and no buffer overflow / crash should appear.

Issues/PRs references

None

@maribu maribu added CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR Type: bug The issue reports a bug / The PR fixes a bug (including spelling errors) labels Dec 11, 2024
@github-actions github-actions bot added Area: network Area: Networking Area: tests Area: tests and testing framework Area: CoAP Area: Constrained Application Protocol implementations Area: sys Area: System Area: examples Area: Example Applications labels Dec 11, 2024
@riot-ci
Copy link
Copy Markdown

riot-ci commented Dec 11, 2024
edited
Loading

Murdock results

✔️ PASSED

c7af4b2 sys/net/nanocoap: fix invalid RST messages

Success Failures Total Runtime
10249 0 10249 19m:26s

Artifacts

benpicco
benpicco reviewed Dec 11, 2024
View reviewed changes
@maribu maribu force-pushed the sys/net/nanocoap/buffer-overflow-separate-response branch from 41d8af4 to 6221061 Compare December 11, 2024 19:20
@maribu maribu requested a review from kaspar030 as a code owner December 11, 2024 19:20
@maribu maribu force-pushed the sys/net/nanocoap/buffer-overflow-separate-response branch from 6221061 to 7e0c535 Compare December 11, 2024 19:50
maribu
maribu commented Dec 11, 2024
View reviewed changes
@maribu maribu force-pushed the sys/net/nanocoap/buffer-overflow-separate-response branch from 7e0c535 to 4c46407 Compare December 11, 2024 19:55
@maribu maribu added the Process: needs backport Integration Process: The PR is required to be backported to a release or feature branch label Dec 11, 2024
@maribu maribu force-pushed the sys/net/nanocoap/buffer-overflow-separate-response branch from 4c46407 to c391765 Compare December 11, 2024 20:43
benpicco
benpicco approved these changes Dec 12, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@benpicco benpicco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Even makes then code nicer :)

@maribu maribu added this pull request to the merge queue Dec 12, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Dec 12, 2024
maribu and others added 5 commits December 12, 2024 14:28
@maribu
cpu/avr8_common: fix C++ compatibility of unistd.h
5fe7a2e 
C++ does not know about `restrict`, but both g++ and clang++ support
`__restrict`, as do `clang` and GCC [1].

Using `__restrict` instead of `restrict` is also what glibc does.

[1]: https://en.wikipedia.org/wiki/Restrict#Support_by_C++_compilers
@maribu @benpicco
sys/net/nanocoap: fix buffer overflow in separate response handling
7a738d0 
When RFC 8974 support (module `nanocoap_token_ext`) is in use, the
request token may be longer than the buffer in the separate response
context is large. This adds a check to not overflow the buffer.

Sadly, this is an API change: Preparing the separate response context
can actually fail, so we need to report this with a return value.

The example application has been adapted to only proceed if the separate
reply context could have been prepared, and rather directly emit a
reset message if the token exceeds the static buffer.

Co-authored-by: benpicco <[email protected]>
@maribu
sys/fmt: add scn_buf_hex()
6b12793 
This adds a function to convert a hex string to a byte array.
@maribu @benpicco
tests/net/nanocoap_cli: allow specifying the token
fa011a8 
This adds the client_token shell command that allows to specify the
CoAP Token. This is particularly useful to test extended length Tokens,
as enabled with module `nanocoap_token_ext`.

Co-authored-by: benpicco <[email protected]>
@maribu
sys/net/nanocoap: fix invalid RST messages
c7af4b2 
An RST message has no token, so don't reply with a token when sending
RST.

This also adds unit tests to ensure this this exact bug does not sneak
back in.
@maribu maribu force-pushed the sys/net/nanocoap/buffer-overflow-separate-response branch from c391765 to c7af4b2 Compare December 12, 2024 13:28
@github-actions github-actions bot added Platform: AVR Platform: This PR/issue effects AVR-based platforms Area: cpu Area: CPU/MCU ports labels Dec 12, 2024
@maribu maribu enabled auto-merge December 12, 2024 13:28
@maribu maribu added this pull request to the merge queue Dec 12, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Dec 12, 2024
@maribu maribu added this pull request to the merge queue Dec 12, 2024
Merged via the queue into RIOT-OS:master with commit 28753e3 Dec 13, 2024
@maribu
Copy link
Copy Markdown
Member Author

maribu commented Dec 13, 2024

Thx a lot!

@maribu maribu deleted the sys/net/nanocoap/buffer-overflow-separate-response branch December 13, 2024 07:21
@maribu maribu mentioned this pull request Dec 13, 2024
Merged
@MrKevinWeiss MrKevinWeiss added this to the Release 2025.01 milestone Jan 20, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@benpicco benpicco benpicco approved these changes

@nandojve nandojve nandojve approved these changes

@leandrolanzieri leandrolanzieri Awaiting requested review from leandrolanzieri leandrolanzieri is a code owner

@aabadie aabadie Awaiting requested review from aabadie aabadie is a code owner

@MichelRottleuthner MichelRottleuthner Awaiting requested review from MichelRottleuthner MichelRottleuthner is a code owner

@miri64 miri64 Awaiting requested review from miri64 miri64 is a code owner

@PeterKietzmann PeterKietzmann Awaiting requested review from PeterKietzmann

@kaspar030 kaspar030 Awaiting requested review from kaspar030 kaspar030 is a code owner

@kYc0o kYc0o Awaiting requested review from kYc0o kYc0o is a code owner

Assignees

No one assigned

Labels

Area: CoAP Area: Constrained Application Protocol implementations Area: cpu Area: CPU/MCU ports Area: examples Area: Example Applications Area: network Area: Networking Area: sys Area: System Area: tests Area: tests and testing framework CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR Platform: AVR Platform: This PR/issue effects AVR-based platforms Process: needs backport Integration Process: The PR is required to be backported to a release or feature branch Type: bug The issue reports a bug / The PR fixes a bug (including spelling errors)

Projects

None yet

Milestone

Release 2025.01

Development

Successfully merging this pull request may close these issues.

5 participants

@maribu @riot-ci @benpicco @nandojve @MrKevinWeiss