possible lwm2m buffer overflow

Description

Reported by: Eric Sesterhenn <eric.sesterhenn@x41-dsec.de> (Principal Security Consultant)

  • subsys/net/lib/lwm2m/lwm2m_engine.c

static char buf[32];
...
for (i = 0; i < tkl; i++) {
        pos += snprintk(&buf[pos], 31 - pos, "%x", token[i]);
}

No check is performed if the printed string fits into the buffer.
snprintk() returns the size it would print if the buffer is big enough.
This might result in the calculation of 31 - pos to underflow, leading
to a large value supplied to the snprintk(), causing the next snprintk()
to succeed again.
I did not inspect all callers whether they provide a tkl where
this might not happen.

Environment

None

Assignee

Unassigned

Reporter

Ruud Derwig

Labels

None

Authorized viewers

None

CVE

None

Embargo Lift

None

Fix versions

Priority

Medium
Configure