Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nanocoap: prevent integer underflow in coap_opt_put_uri_pathquery() #19994

Merged
merged 1 commit into from
Oct 24, 2023
Merged

nanocoap: prevent integer underflow in coap_opt_put_uri_pathquery() #19994

merged 1 commit into from
Oct 24, 2023

Conversation

benpicco
Copy link
Contributor

Contribution description

If uri contains no path but only a query "?foo=bar" len would underflow. Fix this by detecting if there is no path.

Reported by @Yu3H0

Testing procedure

Issues/PRs references

GHSA-4hvc-7m7r-78xq

@github-actions github-actions bot added Area: network Area: Networking Area: CoAP Area: Constrained Application Protocol implementations Area: sys Area: System labels Oct 19, 2023
@benpicco benpicco force-pushed the coap_opt_put_uri_pathquery-underflow branch from ee3ab13 to f7db16a Compare October 19, 2023 12:03
@benpicco benpicco added CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR Type: bug The issue reports a bug / The PR fixes a bug (including spelling errors) labels Oct 19, 2023
@benpicco benpicco requested a review from MrKevinWeiss October 19, 2023 12:05
@riot-ci
Copy link

riot-ci commented Oct 19, 2023
edited
Loading

Murdock results

✔️ PASSED

0fa04a3 nanocoap: prevent integer underflow in coap_opt_put_uri_pathquery()

Success Failures Total Runtime
7937 0 7937 16m:22s

Artifacts

@benpicco
nanocoap: prevent integer underflow in coap_opt_put_uri_pathquery()
0fa04a3 
If uri contains no path but only a query "?foo=bar" `len` would underflow.
Fix this by detecting if there is no path.

Reported by @Yu3H0
@benpicco benpicco force-pushed the coap_opt_put_uri_pathquery-underflow branch from 6fdeead to 0fa04a3 Compare October 20, 2023 10:59
@MrKevinWeiss MrKevinWeiss added the Process: needs backport Integration Process: The PR is required to be backported to a release or feature branch label Oct 20, 2023
miri64
miri64 approved these changes Oct 24, 2023
View reviewed changes
Copy link
Member

@miri64 miri64 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK

@miri64
Copy link
Member

miri64 commented Oct 24, 2023

bors merge

@bors
Copy link
Contributor

bors bot commented Oct 24, 2023

Build succeeded!

The publicly hosted instance of bors-ng is deprecated and will go away soon.

If you want to self-host your own instance, instructions are here.
For more help, visit the forum.

If you want to switch to GitHub's built-in merge queue, visit their help page.

@bors bors bot merged commit 61ae692 into RIOT-OS:master Oct 24, 2023
25 checks passed
@benpicco benpicco deleted the coap_opt_put_uri_pathquery-underflow branch October 24, 2023 13:55
@MrKevinWeiss MrKevinWeiss mentioned this pull request Nov 2, 2023
Merged
bors bot added a commit that referenced this pull request Nov 2, 2023
@bors @benpicco @Einhornhool
Merge #20037 #20038 #20039
2ffdc2c 
20037: nib/_nib-6ln: bail out early if address is no longer assigned [backport 2023.10] r=benpicco a=MrKevinWeiss

# Backport of #19999



20038: nanocoap: prevent integer underflow in coap_opt_put_uri_pathquery() [backport 2023.10] r=benpicco a=MrKevinWeiss

# Backport of #19994





20039: sys/psa_crypto: Fix macro for public key max size and SE example [backport 2023.10] r=benpicco a=MrKevinWeiss

# Backport of #19995

### Contribution description
#### 1. Wrong public key size when using secure elements, introduced by  #19954
Fixed conditions for key size macros in `crypto_sizes.h`.

#### 2. EdDSA and ECDSA examples fail when using a secure element because of unsopported changes introduced by #19954
Updated `example/psa_crypto` to use only supported functions for secure elements.

### Testing procedure
Build `example/psa_crypto` for secure elements and run application

Output on master:
```
2023-10-19 14:33:24,372 # main(): This is RIOT! (Version: 2019.07-devel-22378-gb6772)
2023-10-19 14:33:24,372 # HMAC SHA256 took 56393 us
2023-10-19 14:33:24,372 # Cipher AES 128 took 68826 us
2023-10-19 14:33:24,372 # *** RIOT kernel panic:
2023-10-19 14:33:24,373 # HARD FAULT HANDLER
2023-10-19 14:33:24,373 # 
2023-10-19 14:33:24,373 # *** rebooting...

```
Output with fixes:
```
2023-10-19 13:35:24,715 # main(): This is RIOT! (Version: 2019.07-devel-22384-g8ef66-dev/psa-crypto-fixes)
2023-10-19 13:35:24,715 # HMAC SHA256 took 56374 us
2023-10-19 13:35:24,715 # Cipher AES 128 took 68805 us
2023-10-19 13:35:24,715 # ECDSA took 281164 us
2023-10-19 13:35:24,715 # All Done
```


Co-authored-by: Benjamin Valentin <[email protected]>
Co-authored-by: Lena Boeckmann <[email protected]>
@MrKevinWeiss MrKevinWeiss added this to the Release 2024.01 milestone Feb 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@miri64 miri64 miri64 approved these changes

@haukepetersen haukepetersen Awaiting requested review from haukepetersen

@PeterKietzmann PeterKietzmann Awaiting requested review from PeterKietzmann PeterKietzmann is a code owner

@cgundogan cgundogan Awaiting requested review from cgundogan

@MrKevinWeiss MrKevinWeiss Awaiting requested review from MrKevinWeiss

Assignees
No one assigned
Labels
Area: CoAP Area: Constrained Application Protocol implementations Area: network Area: Networking Area: sys Area: System CI: ready for build If set, CI server will compile all applications for all available boards for the labeled PR Process: needs backport Integration Process: The PR is required to be backported to a release or feature branch Type: bug The issue reports a bug / The PR fixes a bug (including spelling errors)
Projects
None yet
Milestone
Release 2024.01
Development

Successfully merging this pull request may close these issues.
4 participants
@benpicco @riot-ci @miri64 @MrKevinWeiss