From 7fab8aa6fbb747e0610ec43272c35ac9ed2b59b3 Mon Sep 17 00:00:00 2001
From: Jon Shallow <supjps-libcoap@jpshallow.com>
Date: Sat, 14 Jan 2023 15:02:14 +0000
Subject: [PATCH] OSCORE Option: Check for off by one for kid

---
 src/coap_debug.c    | 6 ++++--
 src/oscore/oscore.c | 2 ++
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/coap_debug.c b/src/coap_debug.c
index ed7cc8898b..a18a147144 100644
--- a/src/coap_debug.c
+++ b/src/coap_debug.c
@@ -740,6 +740,8 @@ coap_show_pdu(coap_log_t level, const coap_pdu_t *pdu) {
         }
         if (opt_val[0] & 0x10) {
           /* kid context */
+          if (ofs >= opt_len)
+            goto no_more;
           cnt = opt_val[ofs];
           if (cnt > opt_len - ofs - 1)
             goto no_more;
@@ -756,9 +758,9 @@ coap_show_pdu(coap_log_t level, const coap_pdu_t *pdu) {
         }
         if (opt_val[0] & 0x08) {
           /* kid */
-          cnt = opt_len - ofs;
-          if (cnt > opt_len - ofs)
+          if (ofs >= opt_len)
             goto no_more;
+          cnt = opt_len - ofs;
           buf_len = strlen((char *)buf);
           snprintf((char *)&buf[buf_len], sizeof(buf)-buf_len, "%skid=0x",
                    buf_len ? "," : "");
diff --git a/src/oscore/oscore.c b/src/oscore/oscore.c
index f8956ac57f..871c660c7a 100644
--- a/src/oscore/oscore.c
+++ b/src/oscore/oscore.c
@@ -278,6 +278,8 @@ oscore_decode_option_value(const uint8_t *opt_value,
   if ((opt_value[0] & 0x10) != 0) {
     coap_bin_const_t kid_context;
 
+    if (offset >= option_len)
+      return 0;
     kid_context.length = opt_value[offset];
     offset++;
     if (offset + kid_context.length > option_len) {