Patch unsafe strlen in TLVWriter (project-chip#37065)

alexhqwang · web-flow · commit 9b58c2715d23 · 2025-01-16T01:33:12.000Z
* Patch unsafe strlen in TLVWriter

This is a vulnerability from Weave that was recently fixed. Apply
the patch to Matter TLVWriter as well. This avoids reading bad
pointers beyond stack-allocated memory.

&gt; One of the PutString function overloads makes a call to strlen
&gt; without safeguards. This has caused faults on several products when
&gt; passing in uninitialized memory. While these call sites have been
&gt; fixed with explicit initialization, we can also make the core
&gt; library more secure. Use the container to determine a maximum length
&gt; and avoid buffer overflow.

* Fix comment and apply clang-format

* Fixes for clang-tidy
diff --git a/src/lib/core/TLVWriter.cpp b/src/lib/core/TLVWriter.cpp
@@ -290,12 +290,26 @@ CHIP_ERROR TLVWriter::PutBytes(Tag tag, const uint8_t * buf, uint32_t len)
 
 CHIP_ERROR TLVWriter::PutString(Tag tag, const char * buf)
 {
-    size_t len = strlen(buf);
+    if (buf == nullptr)
+        return CHIP_ERROR_INVALID_ARGUMENT;
+    if (mMaxLen == 0)
+        return CHIP_ERROR_INCORRECT_STATE;
+
+    // Calculate length with a hard limit to prevent unbounded reads.
+    // Use mMaxLen instead of mRemainingLen to account for CircularTLVWriter.
+    // Note: Overrun is still possible if buf is not null-terminated, and this
+    // check cannot prevent all invalid memory reads.
+    size_t len = strnlen(buf, mMaxLen);
+
     if (!CanCastTo<uint32_t>(len))
-    {
         return CHIP_ERROR_INVALID_ARGUMENT;
-    }
-    return PutString(tag, buf, static_cast<uint32_t>(len));
+
+    uint32_t stringLen = static_cast<uint32_t>(len);
+
+    // Null terminator was not found within the allocated space.
+    if (stringLen == mMaxLen)
+        return CHIP_ERROR_BUFFER_TOO_SMALL;
+    return PutString(tag, buf, stringLen);
 }
 
 CHIP_ERROR TLVWriter::PutString(Tag tag, const char * buf, uint32_t len)
diff --git a/src/lib/core/tests/TestTLV.cpp b/src/lib/core/tests/TestTLV.cpp
@@ -2605,6 +2605,22 @@ TEST_F(TestTLV, CheckCircularTLVBufferEdge)
 
     TestEnd<TLVReader>(reader);
 }
+
+TEST_F(TestTLV, CheckTLVPutStringOverrun)
+{
+    const size_t bufSize          = 8;
+    uint8_t backingStore[bufSize] = {};
+
+    const char * badPointer = "Foo <segfault here>";
+
+    TLVWriter writer;
+
+    writer.Init(backingStore, bufSize);
+
+    CHIP_ERROR err = writer.PutString(ProfileTag(TestProfile_1, 1), badPointer);
+    EXPECT_EQ(err, CHIP_ERROR_BUFFER_TOO_SMALL);
+}
+
 TEST_F(TestTLV, CheckTLVPutStringF)
 {
     const size_t bufsize = 24;
