From 214665ac4b44b1b6a7e38d4d6907ee835a174928 Mon Sep 17 00:00:00 2001
From: Jon Shallow <supjps-libcoap@jpshallow.com>
Date: Mon, 25 Mar 2024 20:44:48 +0000
Subject: [PATCH] coap_pdu.c: Fix UndefinedBehaviorSanitizer:
 undefined-behavior

This fixes a reported error in coap_update_token() where a size_t
calculation is overflowed (but all ends up with the correct value).

Instead of adding an overflowed size_t, now subtract the reversed
size_t calculation as appropriate.

coap_update_option() and coap_insert_option() similarily updated.
---
 src/coap_pdu.c | 33 ++++++++++++++++++++++++---------
 1 file changed, 24 insertions(+), 9 deletions(-)

diff --git a/src/coap_pdu.c b/src/coap_pdu.c
index f37e888128..49a747302f 100644
--- a/src/coap_pdu.c
+++ b/src/coap_pdu.c
@@ -395,12 +395,15 @@ coap_update_token(coap_pdu_t *pdu, size_t len, const uint8_t *data) {
     memmove(&pdu->token[(len + bias) - pdu->e_token_length],
             pdu->token, pdu->used_size);
     pdu->used_size += len + bias - pdu->e_token_length;
+    if (pdu->data) {
+      pdu->data += (len + bias) - pdu->e_token_length;
+    }
   } else {
     pdu->used_size -= pdu->e_token_length - (len + bias);
     memmove(pdu->token, &pdu->token[pdu->e_token_length - (len + bias)], pdu->used_size);
-  }
-  if (pdu->data) {
-    pdu->data += (len + bias) - pdu->e_token_length;
+    if (pdu->data) {
+      pdu->data -= pdu->e_token_length - (len + bias);
+    }
   }
 
   pdu->actual_token.length = len;
@@ -647,9 +650,15 @@ coap_insert_option(coap_pdu_t *pdu, coap_option_num_t number, size_t len,
                        number - prev_number, data, len))
     return 0;
 
-  pdu->used_size += shift - shrink;
-  if (pdu->data)
-    pdu->data += shift - shrink;
+  if (shift >= shrink) {
+    pdu->used_size += shift - shrink;
+    if (pdu->data)
+      pdu->data += shift - shrink;
+  } else {
+    pdu->used_size -= shrink - shift;
+    if (pdu->data)
+      pdu->data -= shrink - shift;
+  }
   return shift;
 }
 
@@ -687,9 +696,15 @@ coap_update_option(coap_pdu_t *pdu, coap_option_num_t number, size_t len,
                        decode.delta, data, len))
     return 0;
 
-  pdu->used_size += new_length - old_length;
-  if (pdu->data)
-    pdu->data += new_length - old_length;
+  if (new_length >= old_length) {
+    pdu->used_size += new_length - old_length;
+    if (pdu->data)
+      pdu->data += new_length - old_length;
+  } else {
+    pdu->used_size -= old_length - new_length;
+    if (pdu->data)
+      pdu->data -= old_length - new_length;
+  }
   return 1;
 }