in coap_opt_put_uri_pathquery function, if the uri is "?", the query will be the same as uri. So, the len will be -1 which is 0xffffffff in type size_t.
size_t coap_opt_put_uri_pathquery(uint8_t *buf, uint16_t *lastonum, const char *uri)
{
const char *query = strchr(uri, '?');
size_t len = query ? (size_t)(query - uri - 1) : strlen(uri);
size_t bytes_out = coap_opt_put_string_with_len(buf, *lastonum,
COAP_OPT_URI_PATH,
uri, len, '/');
and the uri is from the req->path.
pktpos += coap_opt_put_uri_pathquery(pktpos, &lastonum, req->path);
Yu3H0 Reporter
Summary
an integer underflow in coap_opt_put_uri_pathquery
Details
in coap_opt_put_uri_pathquery function, if the uri is "?", the query will be the same as uri. So, the len will be -1 which is 0xffffffff in type size_t.
and the uri is from the req->path.
PoC
"?"
Impact
integer overflow