From 164963490816d550c8b4c6b50d4dc7f19d61dd0f Mon Sep 17 00:00:00 2001
From: Robert Szewczyk <szewczyk@google.com>
Date: Wed, 18 May 2022 17:04:59 -0700
Subject: [PATCH] Fix for a potential inifite loop in
 PrepareToReadVendorReservedElements (#18560)

When scanning up through the elements in search of a Vendor Reserved
element, `PrepareToReadVendorReser` would call `mTlvReader.Next()`
inside a `while (true)` loop.  Should the `TLVReader::Next()` return
an error other than `END_OF_TLV` the loop reader would neither advance
nor exit the loop.  The change exits the function on any way in a way
that parallels the earlier error checks on TLVReader errors.
---
 .../DeviceAttestationVendorReserved.h         |  2 ++
 .../TestDeviceAttestationConstruction.cpp     | 26 +++++++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/src/credentials/DeviceAttestationVendorReserved.h b/src/credentials/DeviceAttestationVendorReserved.h
index 7042b2c946ca3b..d81cb11871da67 100644
--- a/src/credentials/DeviceAttestationVendorReserved.h
+++ b/src/credentials/DeviceAttestationVendorReserved.h
@@ -62,6 +62,8 @@ class DeviceAttestationVendorReservedDeconstructor
                 break;
             }
 
+            ReturnErrorOnFailure(err);
+
             TLV::Tag tag = mTlvReader.GetTag();
             if (!TLV::IsContextTag(tag))
                 break;
diff --git a/src/credentials/tests/TestDeviceAttestationConstruction.cpp b/src/credentials/tests/TestDeviceAttestationConstruction.cpp
index 7ed7b5abb39d38..19987d31d475d4 100644
--- a/src/credentials/tests/TestDeviceAttestationConstruction.cpp
+++ b/src/credentials/tests/TestDeviceAttestationConstruction.cpp
@@ -500,6 +500,31 @@ static void TestAttestationElements_DeconstructionUnordered(nlTestSuite * inSuit
     NL_TEST_ASSERT(inSuite, err == CHIP_ERROR_UNEXPECTED_TLV_ELEMENT);
 }
 
+static void TestAttestationElements_DeconstructionCorruptedTLV(nlTestSuite * inSuite, void * inContext)
+{
+    CHIP_ERROR err = CHIP_NO_ERROR;
+    using chip::FormatCHIPError;
+
+    // last element in the TLV 0x30 0x10 0x37 is engineered to generate a TLV
+    // underrun error -- the element claims to be an octet string with a length
+    // of 0x37 bytes but no data is actually present
+    constexpr uint8_t attestationElementsCorruptedTLVTestVector[] = {
+        0x15, 0x30, 0x01, 0x70, 0xd2, 0x84, 0x4b, 0xa2, 0x01, 0x26, 0x04, 0x46, 0x63, 0x73, 0x61, 0x63, 0x64, 0x30, 0xa0, 0x58,
+        0x1d, 0x15, 0x25, 0x01, 0x88, 0x99, 0x25, 0x02, 0xfe, 0xff, 0x25, 0x03, 0xd2, 0x04, 0x25, 0x04, 0x2e, 0x16, 0x24, 0x05,
+        0xaa, 0x25, 0x06, 0xde, 0xc0, 0x25, 0x07, 0x94, 0x26, 0x18, 0x58, 0x40, 0x96, 0x57, 0x2d, 0xd6, 0x3c, 0x03, 0x64, 0x0b,
+        0x28, 0x67, 0x02, 0xbd, 0x6b, 0xba, 0x48, 0xac, 0x7c, 0x83, 0x54, 0x9b, 0x68, 0x73, 0x29, 0x47, 0x48, 0xb9, 0x51, 0xd5,
+        0xab, 0x66, 0x62, 0x2e, 0x9d, 0x26, 0x10, 0x41, 0xf8, 0x0e, 0x97, 0x49, 0xfe, 0xff, 0x78, 0x10, 0x02, 0x49, 0x67, 0xae,
+        0xdf, 0x41, 0x38, 0x36, 0x5b, 0x0a, 0x22, 0x57, 0x14, 0x9c, 0x9a, 0x12, 0x3e, 0x0d, 0x30, 0xaa, 0x30, 0x02, 0x20, 0xe0,
+        0x42, 0x1b, 0x91, 0xc6, 0xfd, 0xcd, 0xb4, 0x0e, 0x2a, 0x4d, 0x2c, 0xf3, 0x1d, 0xb2, 0xb4, 0xe1, 0x8b, 0x41, 0x1b, 0x1d,
+        0x3a, 0xd4, 0xd1, 0x2a, 0x9d, 0x90, 0xaa, 0x8e, 0x52, 0xfa, 0xe2, 0x26, 0x03, 0xfd, 0xc6, 0x5b, 0x28, 0x30, 0x10, 0x37
+    };
+
+    DeviceAttestationVendorReservedDeconstructor vendorReserved;
+    size_t count = 2;
+    err          = vendorReserved.PrepareToReadVendorReservedElements(ByteSpan(attestationElementsCorruptedTLVTestVector), count);
+    NL_TEST_ASSERT(inSuite, err == CHIP_ERROR_TLV_UNDERRUN);
+}
+
 static void TestNocsrElements_Construction(nlTestSuite * inSuite, void * inContext)
 {
     static constexpr uint8_t kNocsrNonce[32] = {
@@ -644,6 +669,7 @@ static const nlTest sTests[] = {
     NL_TEST_DEF("Test Vendor Reserved Data Ordering", TestVendorReservedData),
     NL_TEST_DEF("Test Device Attestation Elements Deconstruction with Firmware Information", TestAttestationElements_DeconstructionWithFirmwareInfo),
     NL_TEST_DEF("Test Device Attestation Elements Deconstruction - Corrupted/Out of Order TLV", TestAttestationElements_DeconstructionUnordered),
+    NL_TEST_DEF("Test Device Attestation Elements Deconstruction - Corrupted TLV -- vendor reserved elements", TestAttestationElements_DeconstructionCorruptedTLV),
     NL_TEST_DEF("Test Device Attestation Elements Deconstruction - No vendor reserved", TestAttestationElements_DeconstructionNoVendorReserved),
     NL_TEST_DEF("Test Device NOCSR Elements Construction", TestNocsrElements_Construction),
     NL_TEST_DEF("Test Device NOCSR Elements Deconstruction", TestNocsrElements_Deconstruction),