Fix too large buffer size in VerifyStatusReport() #4765
Conversation
pullapprove
bot
requested review from
andy31415,
BroderickCarlin,
chrisdecenzo,
hawk248,
jelderton,
mspang,
saurabhst and
woody-apple
|
Can we do something like Reader reader(msg) |
BufferReader doesn't have |
I strongly feel like adding |
I'm happy to add this as part of this PR |
Yes, please. |
| @@ -129,8 +129,13 @@ void VerifyStatusReport(nlTestSuite * inSuite, void * inContext, const System::P | |||
| NL_TEST_ASSERT(inSuite, err == CHIP_NO_ERROR); | |||
| NL_TEST_ASSERT(inSuite, payloadHeader.GetProtocolID() == Protocols::kProtocol_Protocol_Common); | |||
| NL_TEST_ASSERT(inSuite, payloadHeader.GetMessageType() == static_cast<uint8_t>(Protocols::Common::MsgType::StatusReport)); | |||
| if (headerSize > msg->DataLength()) | |||
There was a problem hiding this comment.
In theory, this should have caused err to be an error.... I'm OK with keeping it, or ok with a comment saying we can assume headerSize is small enough because err == CHIP_NO_ERROR here.
Certainly non-test code makes that assumption.
|
|
||
| Encoding::LittleEndian::Reader reader(msg->Start() + headerSize, msg->DataLength()); | ||
| Encoding::LittleEndian::Reader reader(msg->Start() + headerSize, static_cast<uint16_t>(msg->DataLength() - headerSize)); |
There was a problem hiding this comment.
Probably OK if we need to not change the state of msg. Otherwise we could msg->Consume(headerSize) or something and then ditch the arithmetic.
Problem
In
TestBdxTransferSession.cpp,VerifyStatusReport(), aReaderobject was being initialized with a length that exceeded the bounds of the PacketBuffer to read.Summary of Changes
Subtract
headerSizefrom the length parameter so that the Reader cannot read data beyond the bounds of the PacketBufferFixes #4748