@@ -1331,8 +1331,21 @@ static ssize_t _cache_check(const uint8_t *buf, size_t len,
13311331 if ((resp_etag_len > 0 ) && ((size_t )resp_etag_len <= COAP_ETAG_LENGTH_MAX )) {
13321332 uint8_t * tmp_etag ;
13331333 ssize_t tmp_etag_len = coap_opt_get_opaque (& req , COAP_OPT_ETAG , & tmp_etag );
1334-
13351334 if (tmp_etag_len >= resp_etag_len ) {
1335+ /* peak length without padding */
1336+ size_t rem_len = (len - (tmp_etag + tmp_etag_len - buf ));
1337+
1338+ if ((tmp_etag < buf ) || (tmp_etag > (buf + len )) ||
1339+ (rem_len > (len - ((tmp_etag + COAP_ETAG_LENGTH_MAX ) - buf )))) {
1340+ DEBUG ("gcoap: invalid calculated padding length (%lu) for ETag injection "
1341+ "during cache lookup.\n" , (long unsigned )rem_len );
1342+ /* something fishy happened in the request. Better don't return cache entry */
1343+ * cache_hit = false;
1344+ #if IS_USED (MODULE_NANOCOAP_CACHE )
1345+ memset (memo -> cache_key , 0 , sizeof (memo -> cache_key ));
1346+ #endif
1347+ return - EINVAL ;
1348+ }
13361349 memcpy (tmp_etag , resp_etag , resp_etag_len );
13371350 /* shorten ETag option if necessary */
13381351 if ((size_t )resp_etag_len < COAP_ETAG_LENGTH_MAX ) {
@@ -1345,7 +1358,6 @@ static ssize_t _cache_check(const uint8_t *buf, size_t len,
13451358 * bitmask resp_etag_len */
13461359 * start |= (uint8_t )resp_etag_len ;
13471360 /* remove padding */
1348- size_t rem_len = (len - (tmp_etag + COAP_ETAG_LENGTH_MAX - buf ));
13491361 memmove (tmp_etag + resp_etag_len , tmp_etag + COAP_ETAG_LENGTH_MAX , rem_len );
13501362 len -= (COAP_ETAG_LENGTH_MAX - resp_etag_len );
13511363 }
0 commit comments