Skip to content

Commit bcf5e08

Browse files
committed
Address review comments
1 parent 5d26595 commit bcf5e08

17 files changed

+84
-54
lines changed

src/ble/tests/TestBtpEngine.cpp

+12-12
Original file line numberDiff line numberDiff line change
@@ -65,7 +65,7 @@ TEST_F(TestBtpEngine, HandleCharacteristicReceivedOnePacket)
6565
};
6666

6767
auto packet0 = System::PacketBufferHandle::NewWithData(packetData0, sizeof(packetData0));
68-
EXPECT_EQ(packet0->DataLength(), 5);
68+
EXPECT_EQ(packet0->DataLength(), static_cast<size_t>(5));
6969

7070
SequenceNumber_t receivedAck;
7171
bool didReceiveAck;
@@ -79,15 +79,15 @@ TEST_F(TestBtpEngine, HandleCharacteristicReceivedTwoPacket)
7979
constexpr uint8_t packetData1[] = { to_underlying(BtpEngine::HeaderFlags::kEndMessage), 0x02, 0xff };
8080

8181
auto packet0 = System::PacketBufferHandle::NewWithData(packetData0, sizeof(packetData0));
82-
EXPECT_EQ(packet0->DataLength(), 5);
82+
EXPECT_EQ(packet0->DataLength(), static_cast<size_t>(5));
8383

8484
SequenceNumber_t receivedAck;
8585
bool didReceiveAck;
8686
EXPECT_EQ(mBtpEngine.HandleCharacteristicReceived(std::move(packet0), receivedAck, didReceiveAck), CHIP_NO_ERROR);
8787
EXPECT_EQ(mBtpEngine.RxState(), BtpEngine::kState_InProgress);
8888

8989
auto packet1 = System::PacketBufferHandle::NewWithData(packetData1, sizeof(packetData1));
90-
EXPECT_EQ(packet1->DataLength(), 3);
90+
EXPECT_EQ(packet1->DataLength(), static_cast<size_t>(3));
9191

9292
EXPECT_EQ(mBtpEngine.HandleCharacteristicReceived(std::move(packet1), receivedAck, didReceiveAck), CHIP_NO_ERROR);
9393
EXPECT_EQ(mBtpEngine.RxState(), BtpEngine::kState_Complete);
@@ -100,21 +100,21 @@ TEST_F(TestBtpEngine, HandleCharacteristicReceivedThreePacket)
100100
constexpr uint8_t packetData2[] = { to_underlying(BtpEngine::HeaderFlags::kEndMessage), 0x03, 0xff };
101101

102102
auto packet0 = System::PacketBufferHandle::NewWithData(packetData0, sizeof(packetData0));
103-
EXPECT_EQ(packet0->DataLength(), 5);
103+
EXPECT_EQ(packet0->DataLength(), static_cast<size_t>(5));
104104

105105
SequenceNumber_t receivedAck;
106106
bool didReceiveAck;
107107
EXPECT_EQ(mBtpEngine.HandleCharacteristicReceived(std::move(packet0), receivedAck, didReceiveAck), CHIP_NO_ERROR);
108108
EXPECT_EQ(mBtpEngine.RxState(), BtpEngine::kState_InProgress);
109109

110110
auto packet1 = System::PacketBufferHandle::NewWithData(packetData1, sizeof(packetData1));
111-
EXPECT_EQ(packet1->DataLength(), 3);
111+
EXPECT_EQ(packet1->DataLength(), static_cast<size_t>(3));
112112

113113
EXPECT_EQ(mBtpEngine.HandleCharacteristicReceived(std::move(packet1), receivedAck, didReceiveAck), CHIP_NO_ERROR);
114114
EXPECT_EQ(mBtpEngine.RxState(), BtpEngine::kState_InProgress);
115115

116116
auto packet2 = System::PacketBufferHandle::NewWithData(packetData2, sizeof(packetData2));
117-
EXPECT_EQ(packet2->DataLength(), 3);
117+
EXPECT_EQ(packet2->DataLength(), static_cast<size_t>(3));
118118

119119
EXPECT_EQ(mBtpEngine.HandleCharacteristicReceived(std::move(packet2), receivedAck, didReceiveAck), CHIP_NO_ERROR);
120120
EXPECT_EQ(mBtpEngine.RxState(), BtpEngine::kState_Complete);
@@ -131,7 +131,7 @@ TEST_F(TestBtpEngine, HandleCharacteristicSendOnePacket)
131131

132132
EXPECT_TRUE(mBtpEngine.HandleCharacteristicSend(packet0.Retain(), false));
133133
EXPECT_EQ(mBtpEngine.TxState(), BtpEngine::kState_Complete);
134-
EXPECT_EQ(packet0->DataLength(), 5);
134+
EXPECT_EQ(packet0->DataLength(), static_cast<size_t>(5));
135135
}
136136

137137
TEST_F(TestBtpEngine, HandleCharacteristicSendTwoPacket)
@@ -145,11 +145,11 @@ TEST_F(TestBtpEngine, HandleCharacteristicSendTwoPacket)
145145

146146
EXPECT_TRUE(mBtpEngine.HandleCharacteristicSend(packet0.Retain(), false));
147147
EXPECT_EQ(mBtpEngine.TxState(), BtpEngine::kState_InProgress);
148-
EXPECT_EQ(packet0->DataLength(), 20);
148+
EXPECT_EQ(packet0->DataLength(), static_cast<size_t>(20));
149149

150150
EXPECT_TRUE(mBtpEngine.HandleCharacteristicSend(nullptr, false));
151151
EXPECT_EQ(mBtpEngine.TxState(), BtpEngine::kState_Complete);
152-
EXPECT_EQ(packet0->DataLength(), 16);
152+
EXPECT_EQ(packet0->DataLength(), static_cast<size_t>(16));
153153
}
154154

155155
// Send 40-byte payload.
@@ -167,15 +167,15 @@ TEST_F(TestBtpEngine, HandleCharacteristicSendThreePacket)
167167

168168
EXPECT_TRUE(mBtpEngine.HandleCharacteristicSend(packet0.Retain(), false));
169169
EXPECT_EQ(mBtpEngine.TxState(), BtpEngine::kState_InProgress);
170-
EXPECT_EQ(packet0->DataLength(), 20);
170+
EXPECT_EQ(packet0->DataLength(), static_cast<size_t>(20));
171171

172172
EXPECT_TRUE(mBtpEngine.HandleCharacteristicSend(nullptr, false));
173173
EXPECT_EQ(mBtpEngine.TxState(), BtpEngine::kState_InProgress);
174-
EXPECT_EQ(packet0->DataLength(), 20);
174+
EXPECT_EQ(packet0->DataLength(), static_cast<size_t>(20));
175175

176176
EXPECT_TRUE(mBtpEngine.HandleCharacteristicSend(nullptr, false));
177177
EXPECT_EQ(mBtpEngine.TxState(), BtpEngine::kState_Complete);
178-
EXPECT_EQ(packet0->DataLength(), 8);
178+
EXPECT_EQ(packet0->DataLength(), static_cast<size_t>(8));
179179
}
180180

181181
} // namespace

src/inet/TCPEndPointImplLwIP.cpp

+1-1
Original file line numberDiff line numberDiff line change
@@ -508,7 +508,7 @@ CHIP_ERROR TCPEndPointImplLwIP::AckReceive(size_t len)
508508
VerifyOrReturnError(IsConnected(), CHIP_ERROR_INCORRECT_STATE);
509509
CHIP_ERROR res = CHIP_NO_ERROR;
510510

511-
VerifyOrReturnError(len < UINT16_MAX, CHIP_ERROR_INVALID_ARGUMENT);
511+
VerifyOrReturnError(len <= UINT16_MAX, CHIP_ERROR_INVALID_ARGUMENT);
512512

513513
// Lock LwIP stack
514514
LOCK_TCPIP_CORE();

src/inet/TCPEndPointImplSockets.cpp

+3-3
Original file line numberDiff line numberDiff line change
@@ -483,7 +483,7 @@ CHIP_ERROR TCPEndPointImplSockets::DriveSendingImpl()
483483

484484
while (!mSendQueue.IsNull())
485485
{
486-
uint32_t bufLen = static_cast<uint32_t>(mSendQueue->DataLength());
486+
size_t bufLen = mSendQueue->DataLength();
487487

488488
ssize_t lenSentRaw = send(mSocket, mSendQueue->Start(), bufLen, sendFlags);
489489

@@ -496,14 +496,14 @@ CHIP_ERROR TCPEndPointImplSockets::DriveSendingImpl()
496496
break;
497497
}
498498

499-
if (lenSentRaw < 0 || bufLen < static_cast<uint32_t>(lenSentRaw))
499+
if (lenSentRaw < 0 || bufLen < static_cast<size_t>(lenSentRaw))
500500
{
501501
err = CHIP_ERROR_INCORRECT_STATE;
502502
break;
503503
}
504504

505505
// Cast is safe because bufLen is uint32_t.
506-
uint32_t lenSent = static_cast<uint32_t>(lenSentRaw);
506+
size_t lenSent = static_cast<size_t>(lenSentRaw);
507507

508508
// Mark the connection as being active.
509509
MarkActive();

src/inet/UDPEndPointImplOpenThread.cpp

+1-1
Original file line numberDiff line numberDiff line change
@@ -225,7 +225,7 @@ CHIP_ERROR UDPEndPointImplOT::SendMsgImpl(const IPPacketInfo * aPktInfo, System:
225225
otMessageInfo messageInfo;
226226

227227
// For now the entire message must fit within a single buffer.
228-
VerifyOrReturnError(!msg->HasChainedBuffer(), CHIP_ERROR_MESSAGE_TOO_LONG);
228+
VerifyOrReturnError(!msg->HasChainedBuffer() && msg->DataLength() <= UINT16_MAX, CHIP_ERROR_MESSAGE_TOO_LONG);
229229

230230
memset(&messageInfo, 0, sizeof(messageInfo));
231231

src/inet/UDPEndPointImplSockets.cpp

+1-1
Original file line numberDiff line numberDiff line change
@@ -610,7 +610,7 @@ void UDPEndPointImplSockets::HandlePendingIO(System::SocketEvents events)
610610

611611
ssize_t rcvLen = recvmsg(mSocket, &msgHeader, MSG_DONTWAIT);
612612

613-
if (rcvLen < 0)
613+
if (rcvLen == -1)
614614
{
615615
lStatus = CHIP_ERROR_POSIX(errno);
616616
}

src/lib/core/tests/TestTLV.cpp

+2-2
Original file line numberDiff line numberDiff line change
@@ -272,12 +272,12 @@ void TestDupBytes(nlTestSuite * inSuite, TLVReader & reader, Tag tag, const uint
272272
}
273273

274274
void TestBufferContents(nlTestSuite * inSuite, const System::PacketBufferHandle & buffer, const uint8_t * expectedVal,
275-
uint32_t expectedLen)
275+
size_t expectedLen)
276276
{
277277
System::PacketBufferHandle buf = buffer.Retain();
278278
while (!buf.IsNull())
279279
{
280-
uint32_t len = static_cast<uint32_t>(buf->DataLength());
280+
size_t len = buf->DataLength();
281281
NL_TEST_ASSERT(inSuite, len <= expectedLen);
282282

283283
NL_TEST_ASSERT(inSuite, memcmp(buf->Start(), expectedVal, len) == 0);

src/messaging/tests/echo/echo_requester.cpp

+1-1
Original file line numberDiff line numberDiff line change
@@ -183,7 +183,7 @@ void HandleEchoResponseReceived(chip::Messaging::ExchangeContext * ec, chip::Sys
183183

184184
gEchoRespCount++;
185185

186-
printf("Echo Response: %" PRIu64 "/%" PRIu64 "(%.2f%%) len=%u time=%.3fs\n", gEchoRespCount, gEchoCount,
186+
printf("Echo Response: %" PRIu64 "/%" PRIu64 "(%.2f%%) len=%" PRIu32 "time=%.3fs\n", gEchoRespCount, gEchoCount,
187187
static_cast<double>(gEchoRespCount) * 100 / static_cast<double>(gEchoCount),
188188
static_cast<uint32_t>(payload->DataLength()),
189189
static_cast<double>(chip::System::Clock::Milliseconds32(transitTime).count()) / 1000);

src/messaging/tests/echo/echo_responder.cpp

+1-1
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,7 @@ chip::SessionHolder gSession;
4949
// Callback handler when a CHIP EchoRequest is received.
5050
void HandleEchoRequestReceived(chip::Messaging::ExchangeContext * ec, chip::System::PacketBufferHandle && payload)
5151
{
52-
printf("Echo Request, len=%u ... sending response.\n", static_cast<uint32_t>(payload->DataLength()));
52+
printf("Echo Request, len=%" PRIu32 "... sending response.\n", static_cast<uint32_t>(payload->DataLength()));
5353
}
5454

5555
} // namespace

src/platform/ESP32/nimble/BLEManagerImpl.cpp

+4
Original file line numberDiff line numberDiff line change
@@ -575,6 +575,10 @@ bool BLEManagerImpl::SendIndication(BLE_CONNECTION_OBJECT conId, const ChipBleUU
575575

576576
ESP_LOGD(TAG, "Sending indication for CHIPoBLE TX characteristic (con %u, len %u)", conId, data->DataLength());
577577

578+
// For BLE, the buffer is capped at UINT16_MAX. Nevertheless, have a verify
579+
// check before the cast to uint16_t.
580+
VerifyOrExit(data->DataLength() <= UINT16_MAX, err = CHIP_ERROR_MESSAGE_TOO_LONG);
581+
578582
om = ble_hs_mbuf_from_flat(data->Start(), static_cast<uint16_t>(data->DataLength()));
579583
if (om == NULL)
580584
{

src/platform/Zephyr/BLEManagerImpl.cpp

+4-1
Original file line numberDiff line numberDiff line change
@@ -659,7 +659,8 @@ bool BLEManagerImpl::SendIndication(BLE_CONNECTION_OBJECT conId, const ChipBleUU
659659
params->attr = &sChipoBleAttributes[kCHIPoBLE_CCC_AttributeIndex];
660660
params->func = HandleTXIndicated;
661661
params->data = pBuf->Start();
662-
params->len = static_cast<uint16_t>(pBuf->DataLength());
662+
VerifyOrExit(pBuf->DataLength() <= UINT16_MAX, err = CHIP_ERROR_MESSAGE_TOO_LONG);
663+
params->len = static_cast<uint16_t>(pBuf->DataLength());
663664

664665
status = bt_gatt_indicate(conId, params);
665666
VerifyOrExit(status == 0, err = MapErrorZephyr(status));
@@ -837,6 +838,8 @@ ssize_t BLEManagerImpl::HandleC3Read(struct bt_conn * conId, const struct bt_gat
837838
return 0;
838839
}
839840

841+
// For BLE, the max payload size is limited to UINT16_MAX since the length
842+
// field is 2 bytes long. So, the cast to uint16_t should be fine.
840843
return bt_gatt_attr_read(conId, attr, buf, len, offset, sInstance.c3CharDataBufferHandle->Start(),
841844
static_cast<uint16_t>(sInstance.c3CharDataBufferHandle->DataLength()));
842845
}

src/platform/bouffalolab/common/BLEManagerImpl.cpp

+4-1
Original file line numberDiff line numberDiff line change
@@ -669,7 +669,10 @@ bool BLEManagerImpl::SendIndication(BLE_CONNECTION_OBJECT conId, const ChipBleUU
669669
params->attr = &sChipoBleAttributes[kCHIPoBLE_CCC_AttributeIndex];
670670
params->func = HandleTXIndicated;
671671
params->data = pBuf->Start();
672-
params->len = static_cast<uint16_t>(pBuf->DataLength());
672+
// For BLE, the buffer is capped at UINT16_MAX. Nevertheless, have a verify
673+
// check before the cast to uint16_t.
674+
VerifyOrExit(pBuf->DataLength() <= UINT16_MAX, err = CHIP_ERROR_MESSAGE_TOO_LONG);
675+
params->len = static_cast<uint16_t>(pBuf->DataLength());
673676

674677
status = bt_gatt_indicate(conId, params);
675678
VerifyOrExit(status == 0, err = MapErrorZephyr(status));

src/platform/mbed/BLEManagerImpl.cpp

+3
Original file line numberDiff line numberDiff line change
@@ -984,6 +984,9 @@ bool BLEManagerImpl::SendIndication(BLE_CONNECTION_OBJECT conId, const ChipBleUU
984984
ble::GattServer & gatt_server = ble::BLE::Instance().gattServer();
985985
ble::attribute_handle_t att_handle;
986986

987+
// For BLE, the buffer is capped at UINT16_MAX.
988+
VerifyOrExit(pBuf->DataLength() <= UINT16_MAX, err = CHIP_ERROR_MESSAGE_TOO_LONG);
989+
987990
// No need to do anything fancy here. Only 3 handles are used in this impl.
988991
if (UUIDsMatch(charId, &ChipUUID_CHIPoBLEChar_TX))
989992
{

src/protocols/secure_channel/CASESession.cpp

+2-2
Original file line numberDiff line numberDiff line change
@@ -1579,8 +1579,8 @@ CHIP_ERROR CASESession::HandleSigma3a(System::PacketBufferHandle && msg)
15791579
TLV::TLVReader decryptedDataTlvReader;
15801580
TLV::TLVType containerType = TLV::kTLVType_Structure;
15811581

1582-
const uint8_t * buf = msg->Start();
1583-
const uint32_t bufLen = static_cast<uint32_t>(msg->DataLength());
1582+
const uint8_t * buf = msg->Start();
1583+
const size_t bufLen = msg->DataLength();
15841584

15851585
constexpr size_t kCaseOverheadForFutureTbeData = 128;
15861586

src/system/SystemPacketBuffer.cpp

+27-19
Original file line numberDiff line numberDiff line change
@@ -117,8 +117,8 @@ void PacketBuffer::InternalCheck(const PacketBuffer * buffer)
117117
VerifyOrDieWithMsg(::chip::Platform::MemoryDebugCheckPointer(buffer, buffer->alloc_size + kStructureSize), chipSystemLayer,
118118
"invalid packet buffer pointer");
119119
VerifyOrDieWithMsg(buffer->alloc_size >= buffer->ReservedSize() + buffer->len, chipSystemLayer,
120-
"packet buffer overflow %u < %u+%u", static_cast<uint32_t>(buffer->alloc_size), buffer->ReservedSize(),
121-
static_cast<uint32_t>(buffer->len));
120+
"packet buffer overflow %" PRIu32 " < %" PRIu16 " +%" PRIu32, static_cast<uint32_t>(buffer->alloc_size),
121+
buffer->ReservedSize(), static_cast<uint32_t>(buffer->len));
122122
}
123123
}
124124
#endif // CHIP_SYSTEM_PACKETBUFFER_HAS_CHECK
@@ -137,7 +137,7 @@ void PacketBufferHandle::InternalRightSize()
137137
// Reallocate only if enough space will be saved.
138138
const uint8_t * const start = mBuffer->ReserveStart();
139139
const uint8_t * const payload = mBuffer->Start();
140-
const size_t usedSize = static_cast<size_t>(static_cast<uint32_t>(payload - start) + mBuffer->len);
140+
const size_t usedSize = static_cast<size_t>(payload - start + static_cast<ptrdiff_t>(mBuffer->len));
141141
if (usedSize + kRightSizingThreshold > mBuffer->alloc_size)
142142
{
143143
return;
@@ -204,16 +204,20 @@ void PacketBuffer::SetStart(uint8_t * aNewStart)
204204
aNewStart = kEnd;
205205

206206
ptrdiff_t lDelta = aNewStart - static_cast<uint8_t *>(this->payload);
207-
if (lDelta > static_cast<int32_t>(this->len))
208-
lDelta = static_cast<int32_t>(this->len);
207+
if (lDelta > 0 && this->len < static_cast<size_t>(lDelta))
208+
lDelta = static_cast<ptrdiff_t>(this->len);
209209

210210
#if CHIP_SYSTEM_CONFIG_USE_LWIP
211-
this->len = static_cast<uint16_t>(static_cast<int32_t>(this->len) - lDelta);
212-
this->tot_len = static_cast<uint16_t>(static_cast<int32_t>(this->tot_len) - lDelta);
211+
VerifyOrDieWithMsg((static_cast<ptrdiff_t>(this->len) - lDelta) <= UINT16_MAX, chipSystemLayer,
212+
"LwIP buffer length cannot exceed UINT16_MAX");
213+
this->len = static_cast<uint16_t>(static_cast<ptrdiff_t>(this->len) - lDelta);
214+
VerifyOrDieWithMsg((static_cast<ptrdiff_t>(this->tot_len) - lDelta) <= UINT16_MAX, chipSystemLayer,
215+
"LwIP buffer length cannot exceed UINT16_MAX");
216+
this->tot_len = static_cast<uint16_t>(static_cast<ptrdiff_t>(this->tot_len) - lDelta);
213217
#else
214-
this->len = static_cast<size_t>(static_cast<int32_t>(this->len) - lDelta);
215-
this->tot_len = static_cast<size_t>(static_cast<int32_t>(this->tot_len) - lDelta);
216-
#endif
218+
this->len = static_cast<size_t>(static_cast<ptrdiff_t>(this->len) - lDelta);
219+
this->tot_len = static_cast<size_t>(static_cast<ptrdiff_t>(this->tot_len) - lDelta);
220+
#endif // CHIP_SYSTEM_CONFIG_USE_LWIP
217221
this->payload = aNewStart;
218222
}
219223

@@ -224,17 +228,18 @@ void PacketBuffer::SetDataLength(size_t aNewLen, PacketBuffer * aChainHead)
224228
if (aNewLen > kMaxDataLen)
225229
aNewLen = kMaxDataLen;
226230

227-
int32_t lDelta = static_cast<int32_t>(aNewLen) - static_cast<int32_t>(this->len);
231+
ssize_t lDelta = static_cast<ssize_t>(aNewLen) - static_cast<ssize_t>(this->len);
228232

229233
#if CHIP_SYSTEM_CONFIG_USE_LWIP
230-
VerifyOrDieWithMsg(aNewLen < UINT16_MAX, chipSystemLayer, "LwIP buffer length cannot exceed UINT16_MAX");
231-
this->len = static_cast<uint16_t>(aNewLen);
232-
this->tot_len = static_cast<uint16_t>(static_cast<int32_t>(this->tot_len) + lDelta);
234+
VerifyOrDieWithMsg(aNewLen <= UINT16_MAX, chipSystemLayer, "LwIP buffer length cannot exceed UINT16_MAX");
235+
this->len = static_cast<uint16_t>(aNewLen);
236+
VerifyOrDieWithMsg((static_cast<ssize_t>(this->tot_len) + lDelta) <= UINT16_MAX, chipSystemLayer,
237+
"LwIP buffer length cannot exceed UINT16_MAX");
238+
this->tot_len = static_cast<uint16_t>(static_cast<ssize_t>(this->tot_len) + lDelta);
233239
#else
234240
this->len = aNewLen;
235-
this->tot_len = static_cast<size_t>(static_cast<int32_t>(this->tot_len) + lDelta);
236-
#endif
237-
241+
this->tot_len = static_cast<size_t>(static_cast<ssize_t>(this->tot_len) + lDelta);
242+
#endif // CHIP_SYSTEM_CONFIG_USE_LWIP
238243
// SetDataLength is often called after a client finished writing to the buffer,
239244
// so it's a good time to check for possible corruption.
240245
Check(this);
@@ -243,9 +248,11 @@ void PacketBuffer::SetDataLength(size_t aNewLen, PacketBuffer * aChainHead)
243248
{
244249
Check(aChainHead);
245250
#if CHIP_SYSTEM_CONFIG_USE_LWIP
246-
aChainHead->tot_len = static_cast<uint16_t>(static_cast<int32_t>(aChainHead->tot_len) + lDelta);
251+
VerifyOrDieWithMsg((static_cast<ssize_t>(aChainHead->tot_len) + lDelta) <= UINT16_MAX, chipSystemLayer,
252+
"LwIP buffer length cannot exceed UINT16_MAX");
253+
aChainHead->tot_len = static_cast<uint16_t>(static_cast<ssize_t>(aChainHead->tot_len) + lDelta);
247254
#else
248-
aChainHead->tot_len = static_cast<size_t>(static_cast<int32_t>(aChainHead->tot_len) + lDelta);
255+
aChainHead->tot_len = static_cast<size_t>(static_cast<ssize_t>(aChainHead->tot_len) + lDelta);
249256
#endif
250257
aChainHead = aChainHead->ChainedBuffer();
251258
}
@@ -348,6 +355,7 @@ void PacketBuffer::CompactHead()
348355
lNextPacket.payload = static_cast<uint8_t *>(lNextPacket.payload) + lMoveLength;
349356
lAvailLength = lAvailLength - lMoveLength;
350357
#if CHIP_SYSTEM_CONFIG_USE_LWIP
358+
VerifyOrDieWithMsg((this->len + lMoveLength) <= UINT16_MAX, chipSystemLayer, "LwIP buffer length cannot exceed UINT16_MAX");
351359
this->len = static_cast<uint16_t>(this->len + lMoveLength);
352360
lNextPacket.len = static_cast<uint16_t>(lNextPacket.len - lMoveLength);
353361
lNextPacket.tot_len = static_cast<uint16_t>(lNextPacket.tot_len - lMoveLength);

src/system/TLVPacketBufferBackingStore.cpp

+8-4
Original file line numberDiff line numberDiff line change
@@ -31,7 +31,8 @@ namespace System {
3131
CHIP_ERROR TLVPacketBufferBackingStore::OnInit(chip::TLV::TLVReader & reader, const uint8_t *& bufStart, uint32_t & bufLen)
3232
{
3333
bufStart = mHeadBuffer->Start();
34-
bufLen = static_cast<uint32_t>(mHeadBuffer->DataLength());
34+
VerifyOrReturnError(CanCastTo<uint32_t>(mHeadBuffer->DataLength()), CHIP_ERROR_INVALID_ARGUMENT);
35+
bufLen = static_cast<uint32_t>(mHeadBuffer->DataLength());
3536
return CHIP_NO_ERROR;
3637
}
3738

@@ -54,7 +55,8 @@ CHIP_ERROR TLVPacketBufferBackingStore::GetNextBuffer(chip::TLV::TLVReader & rea
5455
else
5556
{
5657
bufStart = mCurrentBuffer->Start();
57-
bufLen = static_cast<uint32_t>(mCurrentBuffer->DataLength());
58+
VerifyOrReturnError(CanCastTo<uint32_t>(mCurrentBuffer->DataLength()), CHIP_ERROR_INVALID_ARGUMENT);
59+
bufLen = static_cast<uint32_t>(mCurrentBuffer->DataLength());
5860
}
5961

6062
return CHIP_NO_ERROR;
@@ -63,7 +65,8 @@ CHIP_ERROR TLVPacketBufferBackingStore::GetNextBuffer(chip::TLV::TLVReader & rea
6365
CHIP_ERROR TLVPacketBufferBackingStore::OnInit(chip::TLV::TLVWriter & writer, uint8_t *& bufStart, uint32_t & bufLen)
6466
{
6567
bufStart = mHeadBuffer->Start() + mHeadBuffer->DataLength();
66-
bufLen = static_cast<uint32_t>(mHeadBuffer->AvailableDataLength());
68+
VerifyOrReturnError(CanCastTo<uint32_t>(mHeadBuffer->AvailableDataLength()), CHIP_ERROR_INVALID_ARGUMENT);
69+
bufLen = static_cast<uint32_t>(mHeadBuffer->AvailableDataLength());
6770
return CHIP_NO_ERROR;
6871
}
6972

@@ -107,7 +110,8 @@ CHIP_ERROR TLVPacketBufferBackingStore::GetNewBuffer(chip::TLV::TLVWriter & writ
107110
else
108111
{
109112
bufStart = mCurrentBuffer->Start();
110-
bufLen = static_cast<uint32_t>(mCurrentBuffer->MaxDataLength());
113+
VerifyOrReturnError(CanCastTo<uint32_t>(mCurrentBuffer->MaxDataLength()), CHIP_ERROR_INVALID_ARGUMENT);
114+
bufLen = static_cast<uint32_t>(mCurrentBuffer->MaxDataLength());
111115
}
112116

113117
return CHIP_NO_ERROR;

0 commit comments

Comments
 (0)