Merge pull request #20549 from chrysn-pull-requests/gcoap-asan

gcoap: Avoid reading beyond defined input buffer
RIOT-OS · Jul 30, 2024 · 1e6164f · 1e6164f
2 parents fe3a4e2 + 2f7cbd3
commit 1e6164f
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/sys/net/application_layer/gcoap/gcoap.c b/sys/net/application_layer/gcoap/gcoap.c
@@ -1658,20 +1658,32 @@ ssize_t gcoap_req_send(const uint8_t *buf, size_t len,
             ssize_t res = _cache_check(buf, len, memo, &cache_hit);
 
             if (res < 0) {
+                DEBUG("gcoap: Error from cache check");
+                memo->state = GCOAP_MEMO_UNUSED;
+                mutex_unlock(&_coap_state.lock);
                 return res;
             }
             len = res;
         }
 
         switch (msg_type) {
         case COAP_TYPE_CON:
+            /* Can't store it for retransmission, even though sending it from
+             * the provided buffer once is possible */
+            if (len > CONFIG_GCOAP_PDU_BUF_SIZE) {
+                DEBUG("gcoap: Request too large for retransmit buffer");
+                memo->state = GCOAP_MEMO_UNUSED;
+                mutex_unlock(&_coap_state.lock);
+                return -EINVAL;
+            }
+
             /* copy buf to resend_bufs record */
             memo->msg.data.pdu_buf = NULL;
             for (int i = 0; i < CONFIG_GCOAP_RESEND_BUFS_MAX; i++) {
                 if (!_coap_state.resend_bufs[i][0]) {
                     memo->msg.data.pdu_buf = &_coap_state.resend_bufs[i][0];
                     memcpy(memo->msg.data.pdu_buf, buf,
-                           CONFIG_GCOAP_PDU_BUF_SIZE);
+                           len);
                     memo->msg.data.pdu_len = len;
                     break;
                 }