net: coap: Fix possible overflow

Fix possible integer overflow when parsing a CoAP packet.

Signed-off-by: Flavio Ceolin <[email protected]>

Author: Flavio Ceolin

subsys/net/lib/coap/coap.c

@@ -17,6 +17,7 @@ LOG_MODULE_REGISTER(net_coap, CONFIG_COAP_LOG_LEVEL);
 
 #include <zephyr/types.h>
 #include <sys/byteorder.h>
+#include <sys/math_extras.h>
 
 #include <net/net_ip.h>
 #include <net/net_core.h>
@@ -469,7 +470,9 @@ static int parse_option(u8_t *data, u16_t offset, u16_t *pos,
 			return -EINVAL;
 		}
 
-		*opt_len += hdr_len;
+		if (u16_add_overflow(*opt_len, hdr_len, opt_len)) {
+			return -EINVAL;
+		}
 	}
 
 	if (len > COAP_OPTION_NO_EXT) {
@@ -480,11 +483,15 @@ static int parse_option(u8_t *data, u16_t offset, u16_t *pos,
 			return -EINVAL;
 		}
 
-		*opt_len += hdr_len;
+		if (u16_add_overflow(*opt_len, hdr_len, opt_len)) {
+			return -EINVAL;
+		}
 	}
 
-	*opt_delta += delta;
-	*opt_len += len;
+	if (u16_add_overflow(*opt_delta, delta, opt_delta) ||
+	    u16_add_overflow(*opt_len, len, opt_len)) {
+		return -EINVAL;
+	}
 
 	if (r == 0) {
 		if (len == 0U) {
@@ -519,7 +526,10 @@ static int parse_option(u8_t *data, u16_t offset, u16_t *pos,
 			return -EINVAL;
 		}
 	} else {
-		*pos += len;
+		if (u16_add_overflow(*pos, len, pos)) {
+			return -EINVAL;
+		}
+
 		r = max_len - *pos;
 	}