Skip to content

Commit fb8863b

Browse files
committedApr 16, 2024
Address review comments
1 parent 7bd3b05 commit fb8863b

17 files changed

+74
-44
lines changed
 

‎src/ble/tests/TestBtpEngine.cpp

+12-12
Original file line numberDiff line numberDiff line change
@@ -65,7 +65,7 @@ TEST_F(TestBtpEngine, HandleCharacteristicReceivedOnePacket)
6565
};
6666

6767
auto packet0 = System::PacketBufferHandle::NewWithData(packetData0, sizeof(packetData0));
68-
EXPECT_EQ(packet0->DataLength(), 5);
68+
EXPECT_EQ(packet0->DataLength(), static_cast<size_t>(5));
6969

7070
SequenceNumber_t receivedAck;
7171
bool didReceiveAck;
@@ -79,15 +79,15 @@ TEST_F(TestBtpEngine, HandleCharacteristicReceivedTwoPacket)
7979
constexpr uint8_t packetData1[] = { to_underlying(BtpEngine::HeaderFlags::kEndMessage), 0x02, 0xff };
8080

8181
auto packet0 = System::PacketBufferHandle::NewWithData(packetData0, sizeof(packetData0));
82-
EXPECT_EQ(packet0->DataLength(), 5);
82+
EXPECT_EQ(packet0->DataLength(), static_cast<size_t>(5));
8383

8484
SequenceNumber_t receivedAck;
8585
bool didReceiveAck;
8686
EXPECT_EQ(mBtpEngine.HandleCharacteristicReceived(std::move(packet0), receivedAck, didReceiveAck), CHIP_NO_ERROR);
8787
EXPECT_EQ(mBtpEngine.RxState(), BtpEngine::kState_InProgress);
8888

8989
auto packet1 = System::PacketBufferHandle::NewWithData(packetData1, sizeof(packetData1));
90-
EXPECT_EQ(packet1->DataLength(), 3);
90+
EXPECT_EQ(packet1->DataLength(), static_cast<size_t>(3));
9191

9292
EXPECT_EQ(mBtpEngine.HandleCharacteristicReceived(std::move(packet1), receivedAck, didReceiveAck), CHIP_NO_ERROR);
9393
EXPECT_EQ(mBtpEngine.RxState(), BtpEngine::kState_Complete);
@@ -100,21 +100,21 @@ TEST_F(TestBtpEngine, HandleCharacteristicReceivedThreePacket)
100100
constexpr uint8_t packetData2[] = { to_underlying(BtpEngine::HeaderFlags::kEndMessage), 0x03, 0xff };
101101

102102
auto packet0 = System::PacketBufferHandle::NewWithData(packetData0, sizeof(packetData0));
103-
EXPECT_EQ(packet0->DataLength(), 5);
103+
EXPECT_EQ(packet0->DataLength(), static_cast<size_t>(5));
104104

105105
SequenceNumber_t receivedAck;
106106
bool didReceiveAck;
107107
EXPECT_EQ(mBtpEngine.HandleCharacteristicReceived(std::move(packet0), receivedAck, didReceiveAck), CHIP_NO_ERROR);
108108
EXPECT_EQ(mBtpEngine.RxState(), BtpEngine::kState_InProgress);
109109

110110
auto packet1 = System::PacketBufferHandle::NewWithData(packetData1, sizeof(packetData1));
111-
EXPECT_EQ(packet1->DataLength(), 3);
111+
EXPECT_EQ(packet1->DataLength(), static_cast<size_t>(3));
112112

113113
EXPECT_EQ(mBtpEngine.HandleCharacteristicReceived(std::move(packet1), receivedAck, didReceiveAck), CHIP_NO_ERROR);
114114
EXPECT_EQ(mBtpEngine.RxState(), BtpEngine::kState_InProgress);
115115

116116
auto packet2 = System::PacketBufferHandle::NewWithData(packetData2, sizeof(packetData2));
117-
EXPECT_EQ(packet2->DataLength(), 3);
117+
EXPECT_EQ(packet2->DataLength(), static_cast<size_t>(3));
118118

119119
EXPECT_EQ(mBtpEngine.HandleCharacteristicReceived(std::move(packet2), receivedAck, didReceiveAck), CHIP_NO_ERROR);
120120
EXPECT_EQ(mBtpEngine.RxState(), BtpEngine::kState_Complete);
@@ -131,7 +131,7 @@ TEST_F(TestBtpEngine, HandleCharacteristicSendOnePacket)
131131

132132
EXPECT_TRUE(mBtpEngine.HandleCharacteristicSend(packet0.Retain(), false));
133133
EXPECT_EQ(mBtpEngine.TxState(), BtpEngine::kState_Complete);
134-
EXPECT_EQ(packet0->DataLength(), 5);
134+
EXPECT_EQ(packet0->DataLength(), static_cast<size_t>(5));
135135
}
136136

137137
TEST_F(TestBtpEngine, HandleCharacteristicSendTwoPacket)
@@ -145,11 +145,11 @@ TEST_F(TestBtpEngine, HandleCharacteristicSendTwoPacket)
145145

146146
EXPECT_TRUE(mBtpEngine.HandleCharacteristicSend(packet0.Retain(), false));
147147
EXPECT_EQ(mBtpEngine.TxState(), BtpEngine::kState_InProgress);
148-
EXPECT_EQ(packet0->DataLength(), 20);
148+
EXPECT_EQ(packet0->DataLength(), static_cast<size_t>(20));
149149

150150
EXPECT_TRUE(mBtpEngine.HandleCharacteristicSend(nullptr, false));
151151
EXPECT_EQ(mBtpEngine.TxState(), BtpEngine::kState_Complete);
152-
EXPECT_EQ(packet0->DataLength(), 16);
152+
EXPECT_EQ(packet0->DataLength(), static_cast<size_t>(16));
153153
}
154154

155155
// Send 40-byte payload.
@@ -167,15 +167,15 @@ TEST_F(TestBtpEngine, HandleCharacteristicSendThreePacket)
167167

168168
EXPECT_TRUE(mBtpEngine.HandleCharacteristicSend(packet0.Retain(), false));
169169
EXPECT_EQ(mBtpEngine.TxState(), BtpEngine::kState_InProgress);
170-
EXPECT_EQ(packet0->DataLength(), 20);
170+
EXPECT_EQ(packet0->DataLength(), static_cast<size_t>(20));
171171

172172
EXPECT_TRUE(mBtpEngine.HandleCharacteristicSend(nullptr, false));
173173
EXPECT_EQ(mBtpEngine.TxState(), BtpEngine::kState_InProgress);
174-
EXPECT_EQ(packet0->DataLength(), 20);
174+
EXPECT_EQ(packet0->DataLength(), static_cast<size_t>(20));
175175

176176
EXPECT_TRUE(mBtpEngine.HandleCharacteristicSend(nullptr, false));
177177
EXPECT_EQ(mBtpEngine.TxState(), BtpEngine::kState_Complete);
178-
EXPECT_EQ(packet0->DataLength(), 8);
178+
EXPECT_EQ(packet0->DataLength(), static_cast<size_t>(8));
179179
}
180180

181181
} // namespace

‎src/inet/TCPEndPointImplLwIP.cpp

+1-1
Original file line numberDiff line numberDiff line change
@@ -508,7 +508,7 @@ CHIP_ERROR TCPEndPointImplLwIP::AckReceive(size_t len)
508508
VerifyOrReturnError(IsConnected(), CHIP_ERROR_INCORRECT_STATE);
509509
CHIP_ERROR res = CHIP_NO_ERROR;
510510

511-
VerifyOrReturnError(len < UINT16_MAX, CHIP_ERROR_INVALID_ARGUMENT);
511+
VerifyOrReturnError(len <= UINT16_MAX, CHIP_ERROR_INVALID_ARGUMENT);
512512

513513
// Lock LwIP stack
514514
LOCK_TCPIP_CORE();

‎src/inet/TCPEndPointImplSockets.cpp

+5-3
Original file line numberDiff line numberDiff line change
@@ -483,7 +483,8 @@ CHIP_ERROR TCPEndPointImplSockets::DriveSendingImpl()
483483

484484
while (!mSendQueue.IsNull())
485485
{
486-
uint32_t bufLen = static_cast<uint32_t>(mSendQueue->DataLength());
486+
//uint32_t bufLen = static_cast<uint32_t>(mSendQueue->DataLength());
487+
size_t bufLen = mSendQueue->DataLength();
487488

488489
ssize_t lenSentRaw = send(mSocket, mSendQueue->Start(), bufLen, sendFlags);
489490

@@ -496,14 +497,15 @@ CHIP_ERROR TCPEndPointImplSockets::DriveSendingImpl()
496497
break;
497498
}
498499

499-
if (lenSentRaw < 0 || bufLen < static_cast<uint32_t>(lenSentRaw))
500+
if (lenSentRaw < 0 || bufLen < static_cast<size_t>(lenSentRaw))
500501
{
501502
err = CHIP_ERROR_INCORRECT_STATE;
502503
break;
503504
}
504505

505506
// Cast is safe because bufLen is uint32_t.
506-
uint32_t lenSent = static_cast<uint32_t>(lenSentRaw);
507+
//uint32_t lenSent = static_cast<uint32_t>(lenSentRaw);
508+
size_t lenSent = static_cast<size_t>(lenSentRaw);
507509

508510
// Mark the connection as being active.
509511
MarkActive();

‎src/inet/UDPEndPointImplOpenThread.cpp

+2-1
Original file line numberDiff line numberDiff line change
@@ -225,7 +225,8 @@ CHIP_ERROR UDPEndPointImplOT::SendMsgImpl(const IPPacketInfo * aPktInfo, System:
225225
otMessageInfo messageInfo;
226226

227227
// For now the entire message must fit within a single buffer.
228-
VerifyOrReturnError(!msg->HasChainedBuffer(), CHIP_ERROR_MESSAGE_TOO_LONG);
228+
VerifyOrReturnError(!msg->HasChainedBuffer() && msg->DataLength() <= UINT16_MAX,
229+
CHIP_ERROR_MESSAGE_TOO_LONG);
229230

230231
memset(&messageInfo, 0, sizeof(messageInfo));
231232

‎src/inet/UDPEndPointImplSockets.cpp

+1-1
Original file line numberDiff line numberDiff line change
@@ -610,7 +610,7 @@ void UDPEndPointImplSockets::HandlePendingIO(System::SocketEvents events)
610610

611611
ssize_t rcvLen = recvmsg(mSocket, &msgHeader, MSG_DONTWAIT);
612612

613-
if (rcvLen < 0)
613+
if (rcvLen == -1)
614614
{
615615
lStatus = CHIP_ERROR_POSIX(errno);
616616
}

‎src/lib/core/tests/TestTLV.cpp

+2-2
Original file line numberDiff line numberDiff line change
@@ -272,12 +272,12 @@ void TestDupBytes(nlTestSuite * inSuite, TLVReader & reader, Tag tag, const uint
272272
}
273273

274274
void TestBufferContents(nlTestSuite * inSuite, const System::PacketBufferHandle & buffer, const uint8_t * expectedVal,
275-
uint32_t expectedLen)
275+
size_t expectedLen)
276276
{
277277
System::PacketBufferHandle buf = buffer.Retain();
278278
while (!buf.IsNull())
279279
{
280-
uint32_t len = static_cast<uint32_t>(buf->DataLength());
280+
size_t len = buf->DataLength();
281281
NL_TEST_ASSERT(inSuite, len <= expectedLen);
282282

283283
NL_TEST_ASSERT(inSuite, memcmp(buf->Start(), expectedVal, len) == 0);

‎src/messaging/tests/echo/echo_requester.cpp

+1-1
Original file line numberDiff line numberDiff line change
@@ -183,7 +183,7 @@ void HandleEchoResponseReceived(chip::Messaging::ExchangeContext * ec, chip::Sys
183183

184184
gEchoRespCount++;
185185

186-
printf("Echo Response: %" PRIu64 "/%" PRIu64 "(%.2f%%) len=%u time=%.3fs\n", gEchoRespCount, gEchoCount,
186+
printf("Echo Response: %" PRIu64 "/%" PRIu64 "(%.2f%%) len=%" PRIu32 "time=%.3fs\n", gEchoRespCount, gEchoCount,
187187
static_cast<double>(gEchoRespCount) * 100 / static_cast<double>(gEchoCount),
188188
static_cast<uint32_t>(payload->DataLength()),
189189
static_cast<double>(chip::System::Clock::Milliseconds32(transitTime).count()) / 1000);

‎src/messaging/tests/echo/echo_responder.cpp

+1-1
Original file line numberDiff line numberDiff line change
@@ -49,7 +49,7 @@ chip::SessionHolder gSession;
4949
// Callback handler when a CHIP EchoRequest is received.
5050
void HandleEchoRequestReceived(chip::Messaging::ExchangeContext * ec, chip::System::PacketBufferHandle && payload)
5151
{
52-
printf("Echo Request, len=%u ... sending response.\n", static_cast<uint32_t>(payload->DataLength()));
52+
printf("Echo Request, len=%" PRIu32 "... sending response.\n", static_cast<uint32_t>(payload->DataLength()));
5353
}
5454

5555
} // namespace

‎src/platform/ESP32/nimble/BLEManagerImpl.cpp

+4
Original file line numberDiff line numberDiff line change
@@ -575,6 +575,10 @@ bool BLEManagerImpl::SendIndication(BLE_CONNECTION_OBJECT conId, const ChipBleUU
575575

576576
ESP_LOGD(TAG, "Sending indication for CHIPoBLE TX characteristic (con %u, len %u)", conId, data->DataLength());
577577

578+
// For BLE, the buffer is capped at UINT16_MAX. Nevertheless, have a verify
579+
// check before the cast to uint16_t.
580+
VerifyOrExit(data->DataLength() <= UINT16_MAX, err = CHIP_ERROR_MESSAGE_TOO_LONG);
581+
578582
om = ble_hs_mbuf_from_flat(data->Start(), static_cast<uint16_t>(data->DataLength()));
579583
if (om == NULL)
580584
{

‎src/platform/Zephyr/BLEManagerImpl.cpp

+3
Original file line numberDiff line numberDiff line change
@@ -659,6 +659,7 @@ bool BLEManagerImpl::SendIndication(BLE_CONNECTION_OBJECT conId, const ChipBleUU
659659
params->attr = &sChipoBleAttributes[kCHIPoBLE_CCC_AttributeIndex];
660660
params->func = HandleTXIndicated;
661661
params->data = pBuf->Start();
662+
VerifyOrExit(pBuf->DataLength() <= UINT16_MAX, err = CHIP_ERROR_MESSAGE_TOO_LONG);
662663
params->len = static_cast<uint16_t>(pBuf->DataLength());
663664

664665
status = bt_gatt_indicate(conId, params);
@@ -837,6 +838,8 @@ ssize_t BLEManagerImpl::HandleC3Read(struct bt_conn * conId, const struct bt_gat
837838
return 0;
838839
}
839840

841+
// For BLE, the max payload size is limited to UINT16_MAX since the length
842+
// field is 2 bytes long. So, the cast to uint16_t should be fine.
840843
return bt_gatt_attr_read(conId, attr, buf, len, offset, sInstance.c3CharDataBufferHandle->Start(),
841844
static_cast<uint16_t>(sInstance.c3CharDataBufferHandle->DataLength()));
842845
}

‎src/platform/bouffalolab/common/BLEManagerImpl.cpp

+3
Original file line numberDiff line numberDiff line change
@@ -669,6 +669,9 @@ bool BLEManagerImpl::SendIndication(BLE_CONNECTION_OBJECT conId, const ChipBleUU
669669
params->attr = &sChipoBleAttributes[kCHIPoBLE_CCC_AttributeIndex];
670670
params->func = HandleTXIndicated;
671671
params->data = pBuf->Start();
672+
// For BLE, the buffer is capped at UINT16_MAX. Nevertheless, have a verify
673+
// check before the cast to uint16_t.
674+
VerifyOrExit(pBuf->DataLength() <= UINT16_MAX, err = CHIP_ERROR_MESSAGE_TOO_LONG);
672675
params->len = static_cast<uint16_t>(pBuf->DataLength());
673676

674677
status = bt_gatt_indicate(conId, params);

‎src/platform/mbed/BLEManagerImpl.cpp

+3
Original file line numberDiff line numberDiff line change
@@ -984,6 +984,9 @@ bool BLEManagerImpl::SendIndication(BLE_CONNECTION_OBJECT conId, const ChipBleUU
984984
ble::GattServer & gatt_server = ble::BLE::Instance().gattServer();
985985
ble::attribute_handle_t att_handle;
986986

987+
// For BLE, the buffer is capped at UINT16_MAX.
988+
VerifyOrExit(pBuf->DataLength() <= UINT16_MAX, err = CHIP_ERROR_MESSAGE_TOO_LONG);
989+
987990
// No need to do anything fancy here. Only 3 handles are used in this impl.
988991
if (UUIDsMatch(charId, &ChipUUID_CHIPoBLEChar_TX))
989992
{

‎src/protocols/secure_channel/CASESession.cpp

+1-1
Original file line numberDiff line numberDiff line change
@@ -1580,7 +1580,7 @@ CHIP_ERROR CASESession::HandleSigma3a(System::PacketBufferHandle && msg)
15801580
TLV::TLVType containerType = TLV::kTLVType_Structure;
15811581

15821582
const uint8_t * buf = msg->Start();
1583-
const uint32_t bufLen = static_cast<uint32_t>(msg->DataLength());
1583+
const size_t bufLen = msg->DataLength();
15841584

15851585
constexpr size_t kCaseOverheadForFutureTbeData = 128;
15861586

‎src/system/SystemPacketBuffer.cpp

+22-17
Original file line numberDiff line numberDiff line change
@@ -117,7 +117,7 @@ void PacketBuffer::InternalCheck(const PacketBuffer * buffer)
117117
VerifyOrDieWithMsg(::chip::Platform::MemoryDebugCheckPointer(buffer, buffer->alloc_size + kStructureSize), chipSystemLayer,
118118
"invalid packet buffer pointer");
119119
VerifyOrDieWithMsg(buffer->alloc_size >= buffer->ReservedSize() + buffer->len, chipSystemLayer,
120-
"packet buffer overflow %u < %u+%u", static_cast<uint32_t>(buffer->alloc_size), buffer->ReservedSize(),
120+
"packet buffer overflow %" PRIu32 " < %" PRIu16 " +%" PRIu32, static_cast<uint32_t>(buffer->alloc_size), buffer->ReservedSize(),
121121
static_cast<uint32_t>(buffer->len));
122122
}
123123
}
@@ -137,7 +137,8 @@ void PacketBufferHandle::InternalRightSize()
137137
// Reallocate only if enough space will be saved.
138138
const uint8_t * const start = mBuffer->ReserveStart();
139139
const uint8_t * const payload = mBuffer->Start();
140-
const size_t usedSize = static_cast<size_t>(static_cast<uint32_t>(payload - start) + mBuffer->len);
140+
//const size_t usedSize = static_cast<size_t>((payload - start) + mBuffer->len);
141+
const size_t usedSize = static_cast<size_t>(payload - start) + mBuffer->len;
141142
if (usedSize + kRightSizingThreshold > mBuffer->alloc_size)
142143
{
143144
return;
@@ -204,16 +205,18 @@ void PacketBuffer::SetStart(uint8_t * aNewStart)
204205
aNewStart = kEnd;
205206

206207
ptrdiff_t lDelta = aNewStart - static_cast<uint8_t *>(this->payload);
207-
if (lDelta > static_cast<int32_t>(this->len))
208-
lDelta = static_cast<int32_t>(this->len);
208+
if (lDelta > 0 && this->len < static_cast<size_t>(lDelta))
209+
lDelta = static_cast<ptrdiff_t>(this->len);
209210

210211
#if CHIP_SYSTEM_CONFIG_USE_LWIP
211-
this->len = static_cast<uint16_t>(static_cast<int32_t>(this->len) - lDelta);
212-
this->tot_len = static_cast<uint16_t>(static_cast<int32_t>(this->tot_len) - lDelta);
212+
VerifyOrDieWithMsg((static_cast<ptrdiff_t>(this->len) - lDelta) <= UINT16_MAX, chipSystemLayer, "LwIP buffer length cannot exceed UINT16_MAX");
213+
this->len = static_cast<uint16_t>(static_cast<ptrdiff_t>(this->len) - lDelta);
214+
VerifyOrDieWithMsg((static_cast<ptrdiff_t>(this->tot_len) - lDelta) <= UINT16_MAX, chipSystemLayer, "LwIP buffer length cannot exceed UINT16_MAX");
215+
this->tot_len = static_cast<uint16_t>(static_cast<ptrdiff_t>(this->tot_len) - lDelta);
213216
#else
214-
this->len = static_cast<size_t>(static_cast<int32_t>(this->len) - lDelta);
215-
this->tot_len = static_cast<size_t>(static_cast<int32_t>(this->tot_len) - lDelta);
216-
#endif
217+
this->len = static_cast<size_t>(static_cast<ptrdiff_t>(this->len) - lDelta);
218+
this->tot_len = static_cast<size_t>(static_cast<ptrdiff_t>(this->tot_len) - lDelta);
219+
#endif // CHIP_SYSTEM_CONFIG_USE_LWIP
217220
this->payload = aNewStart;
218221
}
219222

@@ -224,17 +227,17 @@ void PacketBuffer::SetDataLength(size_t aNewLen, PacketBuffer * aChainHead)
224227
if (aNewLen > kMaxDataLen)
225228
aNewLen = kMaxDataLen;
226229

227-
int32_t lDelta = static_cast<int32_t>(aNewLen) - static_cast<int32_t>(this->len);
230+
ssize_t lDelta = static_cast<ssize_t>(aNewLen) - static_cast<ssize_t>(this->len);
228231

229232
#if CHIP_SYSTEM_CONFIG_USE_LWIP
230-
VerifyOrDieWithMsg(aNewLen < UINT16_MAX, chipSystemLayer, "LwIP buffer length cannot exceed UINT16_MAX");
233+
VerifyOrDieWithMsg(aNewLen <= UINT16_MAX, chipSystemLayer, "LwIP buffer length cannot exceed UINT16_MAX");
231234
this->len = static_cast<uint16_t>(aNewLen);
232-
this->tot_len = static_cast<uint16_t>(static_cast<int32_t>(this->tot_len) + lDelta);
235+
VerifyOrDieWithMsg((static_cast<ssize_t>(this->tot_len) + lDelta) <= UINT16_MAX, chipSystemLayer, "LwIP buffer length cannot exceed UINT16_MAX");
236+
this->tot_len = static_cast<uint16_t>(static_cast<ssize_t>(this->tot_len) + lDelta);
233237
#else
234238
this->len = aNewLen;
235-
this->tot_len = static_cast<size_t>(static_cast<int32_t>(this->tot_len) + lDelta);
236-
#endif
237-
239+
this->tot_len = static_cast<size_t>(static_cast<ssize_t>(this->tot_len) + lDelta);
240+
#endif // CHIP_SYSTEM_CONFIG_USE_LWIP
238241
// SetDataLength is often called after a client finished writing to the buffer,
239242
// so it's a good time to check for possible corruption.
240243
Check(this);
@@ -243,9 +246,10 @@ void PacketBuffer::SetDataLength(size_t aNewLen, PacketBuffer * aChainHead)
243246
{
244247
Check(aChainHead);
245248
#if CHIP_SYSTEM_CONFIG_USE_LWIP
246-
aChainHead->tot_len = static_cast<uint16_t>(static_cast<int32_t>(aChainHead->tot_len) + lDelta);
249+
VerifyOrDieWithMsg((static_cast<ssize_t>(aChainHead->tot_len) + lDelta) <= UINT16_MAX, chipSystemLayer, "LwIP buffer length cannot exceed UINT16_MAX");
250+
aChainHead->tot_len = static_cast<uint16_t>(static_cast<ssize_t>(aChainHead->tot_len) + lDelta);
247251
#else
248-
aChainHead->tot_len = static_cast<size_t>(static_cast<int32_t>(aChainHead->tot_len) + lDelta);
252+
aChainHead->tot_len = static_cast<size_t>(static_cast<ssize_t>(aChainHead->tot_len) + lDelta);
249253
#endif
250254
aChainHead = aChainHead->ChainedBuffer();
251255
}
@@ -348,6 +352,7 @@ void PacketBuffer::CompactHead()
348352
lNextPacket.payload = static_cast<uint8_t *>(lNextPacket.payload) + lMoveLength;
349353
lAvailLength = lAvailLength - lMoveLength;
350354
#if CHIP_SYSTEM_CONFIG_USE_LWIP
355+
VerifyOrDieWithMsg((this->len + lMoveLength) <= UINT16_MAX, chipSystemLayer, "LwIP buffer length cannot exceed UINT16_MAX");
351356
this->len = static_cast<uint16_t>(this->len + lMoveLength);
352357
lNextPacket.len = static_cast<uint16_t>(lNextPacket.len - lMoveLength);
353358
lNextPacket.tot_len = static_cast<uint16_t>(lNextPacket.tot_len - lMoveLength);

‎src/system/TLVPacketBufferBackingStore.cpp

+4
Original file line numberDiff line numberDiff line change
@@ -31,6 +31,7 @@ namespace System {
3131
CHIP_ERROR TLVPacketBufferBackingStore::OnInit(chip::TLV::TLVReader & reader, const uint8_t *& bufStart, uint32_t & bufLen)
3232
{
3333
bufStart = mHeadBuffer->Start();
34+
VerifyOrReturnError(CanCastTo<uint32_t>(mHeadBuffer->DataLength()), CHIP_ERROR_INVALID_ARGUMENT);
3435
bufLen = static_cast<uint32_t>(mHeadBuffer->DataLength());
3536
return CHIP_NO_ERROR;
3637
}
@@ -54,6 +55,7 @@ CHIP_ERROR TLVPacketBufferBackingStore::GetNextBuffer(chip::TLV::TLVReader & rea
5455
else
5556
{
5657
bufStart = mCurrentBuffer->Start();
58+
VerifyOrReturnError(CanCastTo<uint32_t>(mCurrentBuffer->DataLength()), CHIP_ERROR_INVALID_ARGUMENT);
5759
bufLen = static_cast<uint32_t>(mCurrentBuffer->DataLength());
5860
}
5961

@@ -63,6 +65,7 @@ CHIP_ERROR TLVPacketBufferBackingStore::GetNextBuffer(chip::TLV::TLVReader & rea
6365
CHIP_ERROR TLVPacketBufferBackingStore::OnInit(chip::TLV::TLVWriter & writer, uint8_t *& bufStart, uint32_t & bufLen)
6466
{
6567
bufStart = mHeadBuffer->Start() + mHeadBuffer->DataLength();
68+
VerifyOrReturnError(CanCastTo<uint32_t>(mHeadBuffer->AvailableDataLength()), CHIP_ERROR_INVALID_ARGUMENT);
6669
bufLen = static_cast<uint32_t>(mHeadBuffer->AvailableDataLength());
6770
return CHIP_NO_ERROR;
6871
}
@@ -107,6 +110,7 @@ CHIP_ERROR TLVPacketBufferBackingStore::GetNewBuffer(chip::TLV::TLVWriter & writ
107110
else
108111
{
109112
bufStart = mCurrentBuffer->Start();
113+
VerifyOrReturnError(CanCastTo<uint32_t>(mCurrentBuffer->MaxDataLength()), CHIP_ERROR_INVALID_ARGUMENT);
110114
bufLen = static_cast<uint32_t>(mCurrentBuffer->MaxDataLength());
111115
}
112116

0 commit comments

Comments
 (0)