Arm Mbed OS 5.14.0 Integer Overflow or Wraparound Vulnerability

Summary

An integer overflow was discovered in the CoAP library in Arm Mbed OS 5.14.0. The function sn_coap_builder_calc_needed_packet_data_size_2() is used to calculate the required memory for the CoAP message from the sn_coap_hdr_s data structure.

Credit:

The information has been provided by Vendor

The original article can be found at:https://github.com/ARMmbed/mbed-os/blob/d0686fd30b4d3d02efdc7e4d0fbf0dfe173543b6/features/frameworks/mbed-coap/source/sn_coap_builder.c#L1090

 


Details

Both returned_byte_count and src_coap_msg_ptr->payload_len are of type uint16_t. When added together, the result returned_byte_count can wrap around the maximum uint16_t value. As a result, insufficient buffer space is allocated for the corresponding CoAP message.

 

Vulnerable Systems:

Arm Mbed OS 5.14.0

 

CVE Information:

CVE-2019-17211

 

Disclosure Timeline:
Published Date:11/5/2019