Arm Mbed OS 5.14.0 Out-of-bounds Write Vulnerability

Summary

Buffer overflows were discovered in the CoAP library in Arm Mbed OS 5.14.0. The CoAP parser is responsible for parsing received CoAP packets. The function sn_coap_parser_options_parse() parses CoAP input linearly using a while loop. Once an option is parsed in a loop, the current point (*packet_data_pptr) is increased correspondingly. The pointer is restricted by the size of the received buffer, as well as by the 0xFF delimiter byte. 

Credit:

The information has been provided by Vendor

The original article can be found at:https://github.com/ARMmbed/mbed-os/issues/11803

 


Details

Inside each while loop, the check of the value of *packet_data_pptr is not strictly enforced. More specifically, inside a loop, *packet_data_pptr could be increased and then dereferenced without checking. Moreover, there are many other functions in the format of sn_coap_parser_****() that do not check whether the pointer is within the bounds of the allocated buffer. All of these lead to heap-based or stack-based buffer overflows, depending on how the CoAP packet buffer is allocated.

 

Vulnerable Systems:

Arm Mbed OS 5.14.0 

 

CVE Information:

CVE-2019-17212

 

Disclosure Timeline:
Published Date:11/5/2019