nanocoap: always write at least 1 byte in coap_block2_finish()

The CoAP block option gets written twice: First a 'dummy' value is written by `coap_opt_add_block2()`, later this gets overwritten by the real option value by coap_block2_finish(). The problem arises when the size of the option changes. If the option ends up smaller than the dummy, we have garbage bytes after the real option value, corrupting the packet. To mitigate this, always write at least one option byte (which will be a 0 byte) to ensure the dummy data is overwritten. fixes #20686
RIOT-OS · Sep 7, 2024 · 66fe083 · 66fe083
1 parent ed9faa9
commit 66fe083
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/sys/net/application_layer/nanocoap/nanocoap.c b/sys/net/application_layer/nanocoap/nanocoap.c
@@ -1339,6 +1339,11 @@ bool coap_block_finish(coap_block_slicer_t *slicer, uint16_t option)
     uint32_t blkopt = _slicer2blkopt(slicer, more);
     size_t olen = _encode_uint(&blkopt);
 
+    /* ensure that we overwrite the dummy value set by coap_block2_init() */
+    if (!olen) {
+        olen = 1;
+    }
+
     coap_put_option(slicer->opt, option - delta, option, (uint8_t *)&blkopt, olen);
     return more;
 }