Null Pointer Dereference in `coap_client_exchange_blockwise2` function in Keith Cullen FreeCoAP 1.0 allows remote attackers to cause a denial of service and potentially execute arbitrary code via a specially crafted CoAP packet that causes `coap_msg_get_payload(resp)` to return a null pointer, which is then dereferenced in a call to `memcpy`.
The vulnerability exists in the `coap_client_exchange_blockwise2` function, which does not verify whether the `coap_msg_get_payload(resp)` call returned a NULL value. An attacker sends a specially crafted CoAP packet that causes this function to return a NULL pointer. Subsequently, the NULL pointer is dereferenced in the `memcpy` call, leading to process crash or — under favorable circumstances — arbitrary code execution.
An attacker can cause an immediate application crash (DoS) or, under certain conditions, execute arbitrary code on the targeted system (RCE) without requiring any privileges.
Patches available from the vendor should be applied in accordance with the references. It is recommended to monitor the bug report at https://github.com/keith-cullen/FreeCoAP/issues/37 and restrict network access to CoAP services only from trusted sources as a temporary measure.
Keith-Cullen FreeCoAP version 1.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HKeith Cullen Freecoap
APPKeith-Cullen1.0
Related vulnerabilities
Buffer overflow w FreeCoAP umożliwia RCE lub DoS przez spreparowany pakiet
Błąd NULL pointer dereference w FreeCoAP — DoS i ujawnienie informacji
An issue in the server_handle_regular function of the test_coap_server.c file within the FreeCoAP project allo...