Fix Null Pointer Dereference in TCP Packet Handling (#36751)

BoB13-Matter · restyled-commits · web-flow · commit 27ca6ec255b7 · 2024-12-18T19:42:26.000Z
* Fix Null Pointer Dereference in TCP Packet Handling

* Fix handle zero messageSize in TCP packet processing

* Add test for TCP MessageSize

* Modify test

* Restyled by clang-format

* Modify the position of an if statement

* Modify test

---------

Co-authored-by: BoB13-Matter &lt;--global&gt;
Co-authored-by: Restyled.io &lt;commits@restyled.io&gt;
diff --git a/src/transport/raw/TCP.cpp b/src/transport/raw/TCP.cpp
@@ -343,7 +343,15 @@ CHIP_ERROR TCPBase::ProcessReceivedBuffer(Inet::TCPEndPoint * endPoint, const Pe
             // We have not yet received the complete message.
             return CHIP_NO_ERROR;
         }
+
         state->mReceived.Consume(kPacketSizeBytes);
+
+        if (messageSize == 0)
+        {
+            // No payload but considered a valid message. Return success to keep the connection alive.
+            return CHIP_NO_ERROR;
+        }
+
         ReturnErrorOnFailure(ProcessSingleMessage(peerAddress, state, messageSize));
     }
 
diff --git a/src/transport/raw/tests/TestTCP.cpp b/src/transport/raw/tests/TestTCP.cpp
@@ -64,7 +64,8 @@ constexpr NodeId kSourceNodeId      = 123654;
 constexpr NodeId kDestinationNodeId = 111222333;
 constexpr uint32_t kMessageCounter  = 18;
 
-const char PAYLOAD[] = "Hello!";
+const char PAYLOAD[]          = "Hello!";
+const char messageSize_TEST[] = "\x00\x00\x00\x00";
 
 class MockTransportMgrDelegate : public chip::TransportMgrDelegate
 {
@@ -633,6 +634,12 @@ TEST_F(TestTCP, CheckProcessReceivedBuffer)
     TestData testData[2];
     gMockTransportMgrDelegate.SetCallback(TestDataCallbackCheck, testData);
 
+    // Test a single packet buffer with zero message size.
+    System::PacketBufferHandle buf = System::PacketBufferHandle::NewWithData(messageSize_TEST, 4);
+    ASSERT_NE(&buf, nullptr);
+    err = TestAccess::ProcessReceivedBuffer(tcp, lEndPoint, lPeerAddress, std::move(buf));
+    EXPECT_EQ(err, CHIP_NO_ERROR);
+
     // Test a single packet buffer.
     gMockTransportMgrDelegate.mReceiveHandlerCallCount = 0;
     EXPECT_TRUE(testData[0].Init((const uint32_t[]){ 111, 0 }));
