fix coap_parse_parms: use-after-free on uninitialized buf_t pointer

jeso-mchp · jeso-mchp · commit c41ea69b48e2 · 2026-04-09T11:56:28.000+02:00
coap_parse_parms declared buf_t *b without initializing to NULL.
When parse_var_bytes returned 0 (e.g. empty input), it did not write
to its output parameter, leaving b as a garbage pointer. The
subsequent bfree(b) freed an arbitrary address.

Initialize b to 0 so bfree is a safe no-op on the error path.

Found by libFuzzer with AddressSanitizer:
      ef hex coap-parms par
diff --git a/src/ef-coap.c b/src/ef-coap.c
@@ -80,7 +80,7 @@ buf_t *coap_parse_token(hdr_t *hdr, int hdr_offset, const char *s, int bytes) {
 
 int coap_parse_parms(hdr_t *hdr, int hdr_offset, struct field *f, int argc, const char *argv[]){
     int res;
-    buf_t *b, *bb = 0;
+    buf_t *b = 0, *bb = 0;
 
     res = parse_var_bytes(&b, argc, argv);
 
