From 24e24b8edcc658e6098904b6fbdaaf12b46c9fc6 Mon Sep 17 00:00:00 2001
From: Niclas Finne <nfi@sics.se>
Date: Thu, 12 Apr 2018 17:34:35 +0200
Subject: [PATCH] coap: added check for block offset overflow in block2
 requests.

The block offset is stored in a signed variable in calls to CoAP handlers and
too large block offsets will overflow into negative values.

Thanks to Bruno Melo for reporting this issue.
---
 os/net/app-layer/coap/coap-engine.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/os/net/app-layer/coap/coap-engine.c b/os/net/app-layer/coap/coap-engine.c
index fb85b5b15..cbfa70ee9 100644
--- a/os/net/app-layer/coap/coap-engine.c
+++ b/os/net/app-layer/coap/coap-engine.c
@@ -199,10 +199,18 @@ coap_receive(const coap_endpoint_t *src,
           new_offset = block_offset;
         }
 
-        /* call CoAP framework and check if found and allowed */
-        status = call_service(message, response,
-                              transaction->message + COAP_MAX_HEADER_SIZE,
-                              block_size, &new_offset);
+        if(new_offset < 0) {
+          LOG_DBG("Blockwise: block request offset overflow\n");
+          coap_status_code = BAD_OPTION_4_02;
+          coap_error_message = "BlockOutOfScope";
+          status = COAP_HANDLER_STATUS_CONTINUE;
+        } else {
+          /* call CoAP framework and check if found and allowed */
+          status = call_service(message, response,
+                                transaction->message + COAP_MAX_HEADER_SIZE,
+                                block_size, &new_offset);
+        }
+
         if(status != COAP_HANDLER_STATUS_CONTINUE) {
 
             if(coap_status_code == NO_ERROR) {