Fix integer overflow in URI parsing

LukasWoodtli · LukasWoodtli · commit 0c65f010e9f0 · 2025-11-11T10:08:52.000+01:00
If an ID exeeds the max. possible value we return early with an error
instead of continuing and checking for too big values at the end.
diff --git a/core/uri.c b/core/uri.c
@@ -71,6 +71,9 @@ static int prv_parseNumber(uint8_t * uriString,
         {
             result *= 10;
             result += uriString[*headP] - '0';
+            if (result > LWM2M_MAX_ID) {
+                return -1;
+            }
         }
         else
         {
diff --git a/fuzzing/registration_handleRequest/CMakeLists.txt b/fuzzing/registration_handleRequest/CMakeLists.txt
@@ -1,3 +1,7 @@
-add_fuzzing_test(TARGET_NAME fuz_registration_handleRequest SOURCE_FILES fuz_registration_handleRequest.c)
+add_fuzzing_test(
+    TARGET_NAME fuz_registration_handleRequest
+    SOURCE_FILES fuz_registration_handleRequest.c
+    CRASH_FILES_DIR crash_files/
+)
 # workaround to be able to test private functions
 target_include_directories(fuz_registration_handleRequest PRIVATE ../../coap ../../core)
diff --git a/fuzzing/registration_handleRequest/crash_files/crash-4e842fc818f746482a3bfd0029ed4b5ed5b044d3 b/fuzzing/registration_handleRequest/crash_files/crash-4e842fc818f746482a3bfd0029ed4b5ed5b044d3
@@ -0,0 +1 @@
+</37777777777>/>/

Original file line number	Diff line number	Diff line change
`@@ -71,6 +71,9 @@ static int prv_parseNumber(uint8_t * uriString,`
`71`	`71`	`{`
`72`	`72`	`result *= 10;`
`73`	`73`	`result += uriString[*headP] - '0';`
	`74`	`+ if (result > LWM2M_MAX_ID) {`
	`75`	`+ return -1;`
	`76`	`+ }`
`74`	`77`	`}`
`75`	`78`	`else`
`76`	`79`	`{`