Fix attr read overflows (project-chip#36003)

witowsg-amazon · web-flow · commit cf45d5d38870 · 2025-03-05T20:52:29.000Z
* Prevent Buffer Overflows with External Attribute Reads

* Prevent buffer overflows by blocking creation of dynamic endpoints
with attributes that would overflow the static attribute buffer
* Added additional sanity checks to block reads of attributes that
would overflow the attribute reads; return RESOURCE_EXHAUSTED instead

* Fix style + minor compile issues

* Fix include order

* Address PR Comments
diff --git a/src/app/util/attribute-storage.cpp b/src/app/util/attribute-storage.cpp
@@ -24,6 +24,7 @@
 #include <app/InteractionModelEngine.h>
 #include <app/reporting/reporting.h>
 #include <app/util/config.h>
+#include <app/util/ember-io-storage.h>
 #include <app/util/ember-strings.h>
 #include <app/util/endpoint-config-api.h>
 #include <app/util/generic-callbacks.h>
@@ -292,6 +293,30 @@ CHIP_ERROR emberAfSetDynamicEndpoint(uint16_t index, EndpointId id, const EmberA
         }
     }
 
+    const size_t bufferSize = Compatibility::Internal::gEmberAttributeIOBufferSpan.size();
+    for (uint8_t i = 0; i < ep->clusterCount; i++)
+    {
+        const EmberAfCluster * cluster = &(ep->cluster[i]);
+        if (!cluster->attributes)
+        {
+            continue;
+        }
+
+        for (uint16_t j = 0; j < cluster->attributeCount; j++)
+        {
+            const EmberAfAttributeMetadata * attr = &(cluster->attributes[j]);
+            uint16_t attrSize                     = emberAfAttributeSize(attr);
+            if (attrSize > bufferSize)
+            {
+                ChipLogError(DataManagement,
+                             "Attribute size %u exceeds max size %lu, (attrId=" ChipLogFormatMEI ", clusterId=" ChipLogFormatMEI
+                             ")",
+                             attrSize, static_cast<unsigned long>(bufferSize), ChipLogValueMEI(attr->attributeId),
+                             ChipLogValueMEI(cluster->clusterId));
+                return CHIP_ERROR_NO_MEMORY;
+            }
+        }
+    }
     emAfEndpoints[index].endpoint       = id;
     emAfEndpoints[index].deviceTypeList = deviceTypeList;
     emAfEndpoints[index].endpointType   = ep;
@@ -642,10 +667,20 @@ Status emAfReadOrWriteAttribute(const EmberAfAttributeSearchRecord * attRecord,
                                 // Is the attribute externally stored?
                                 if (am->mask & MATTER_ATTRIBUTE_FLAG_EXTERNAL_STORAGE)
                                 {
-                                    return (write ? emberAfExternalAttributeWriteCallback(attRecord->endpoint, attRecord->clusterId,
-                                                                                          am, buffer)
-                                                  : emberAfExternalAttributeReadCallback(attRecord->endpoint, attRecord->clusterId,
-                                                                                         am, buffer, emberAfAttributeSize(am)));
+                                    if (write)
+                                    {
+                                        return emberAfExternalAttributeWriteCallback(attRecord->endpoint, attRecord->clusterId, am,
+                                                                                     buffer);
+                                    }
+
+                                    if (readLength < emberAfAttributeSize(am))
+                                    {
+                                        // Prevent a potential buffer overflow
+                                        return Status::ResourceExhausted;
+                                    }
+
+                                    return emberAfExternalAttributeReadCallback(attRecord->endpoint, attRecord->clusterId, am,
+                                                                                buffer, emberAfAttributeSize(am));
                                 }
 
                                 // Internal storage is only supported for fixed endpoints
diff --git a/src/controller/tests/TestServerCommandDispatch.cpp b/src/controller/tests/TestServerCommandDispatch.cpp
@@ -215,7 +215,8 @@ TEST_F(TestServerCommandDispatch, TestNoHandler)
     EXPECT_EQ(GetExchangeManager().GetNumActiveExchanges(), 0u);
 }
 
-static const int kDescriptorAttributeArraySize = 254;
+// Use 8 so that we don't exceed the size of ATTRIBUTE_LARGEST defined by ZAP
+static const int kDescriptorAttributeArraySize = 8;
 
 // Declare Descriptor cluster attributes
 DECLARE_DYNAMIC_ATTRIBUTE_LIST_BEGIN(descriptorAttrs)

Original file line number	Diff line number	Diff line change
`@@ -215,7 +215,8 @@ TEST_F(TestServerCommandDispatch, TestNoHandler)`
`215`	`215`	`EXPECT_EQ(GetExchangeManager().GetNumActiveExchanges(), 0u);`
`216`	`216`	`}`
`217`	`217`
`218`		`-static const int kDescriptorAttributeArraySize = 254;`
	`218`	`+// Use 8 so that we don't exceed the size of ATTRIBUTE_LARGEST defined by ZAP`
	`219`	`+static const int kDescriptorAttributeArraySize = 8;`
`219`	`220`
`220`	`221`	`// Declare Descriptor cluster attributes`
`221`	`222`	`DECLARE_DYNAMIC_ATTRIBUTE_LIST_BEGIN(descriptorAttrs)`