OSCORE Option: Check for off by one for kid

obgm · Jan 14, 2023 · 7fab8aa · 7fab8aa
1 parent 7623e0f
commit 7fab8aa
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/src/coap_debug.c b/src/coap_debug.c
@@ -740,6 +740,8 @@ coap_show_pdu(coap_log_t level, const coap_pdu_t *pdu) {
         }
         if (opt_val[0] & 0x10) {
           /* kid context */
+          if (ofs >= opt_len)
+            goto no_more;
           cnt = opt_val[ofs];
           if (cnt > opt_len - ofs - 1)
             goto no_more;
@@ -756,9 +758,9 @@ coap_show_pdu(coap_log_t level, const coap_pdu_t *pdu) {
         }
         if (opt_val[0] & 0x08) {
           /* kid */
-          cnt = opt_len - ofs;
-          if (cnt > opt_len - ofs)
+          if (ofs >= opt_len)
             goto no_more;
+          cnt = opt_len - ofs;
           buf_len = strlen((char *)buf);
           snprintf((char *)&buf[buf_len], sizeof(buf)-buf_len, "%skid=0x",
                    buf_len ? "," : "");

diff --git a/src/oscore/oscore.c b/src/oscore/oscore.c
@@ -278,6 +278,8 @@ oscore_decode_option_value(const uint8_t *opt_value,
   if ((opt_value[0] & 0x10) != 0) {
     coap_bin_const_t kid_context;
 
+    if (offset >= option_len)
+      return 0;
     kid_context.length = opt_value[offset];
     offset++;
     if (offset + kid_context.length > option_len) {