From 27ca6ec255b78168e04bd71e0f1a473869cf144b Mon Sep 17 00:00:00 2001 From: BoB13-Matter Date: Thu, 19 Dec 2024 04:42:26 +0900 Subject: [PATCH] Fix Null Pointer Dereference in TCP Packet Handling (#36751) * Fix Null Pointer Dereference in TCP Packet Handling * Fix handle zero messageSize in TCP packet processing * Add test for TCP MessageSize * Modify test * Restyled by clang-format * Modify the position of an if statement * Modify test --------- Co-authored-by: BoB13-Matter <--global> Co-authored-by: Restyled.io --- src/transport/raw/TCP.cpp | 8 ++++++++ src/transport/raw/tests/TestTCP.cpp | 9 ++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/src/transport/raw/TCP.cpp b/src/transport/raw/TCP.cpp index b73540d7956f29..f12ee7892ad2d0 100644 --- a/src/transport/raw/TCP.cpp +++ b/src/transport/raw/TCP.cpp @@ -343,7 +343,15 @@ CHIP_ERROR TCPBase::ProcessReceivedBuffer(Inet::TCPEndPoint * endPoint, const Pe // We have not yet received the complete message. return CHIP_NO_ERROR; } + state->mReceived.Consume(kPacketSizeBytes); + + if (messageSize == 0) + { + // No payload but considered a valid message. Return success to keep the connection alive. + return CHIP_NO_ERROR; + } + ReturnErrorOnFailure(ProcessSingleMessage(peerAddress, state, messageSize)); } diff --git a/src/transport/raw/tests/TestTCP.cpp b/src/transport/raw/tests/TestTCP.cpp index 80531491f288a0..80d56707481c45 100644 --- a/src/transport/raw/tests/TestTCP.cpp +++ b/src/transport/raw/tests/TestTCP.cpp @@ -64,7 +64,8 @@ constexpr NodeId kSourceNodeId = 123654; constexpr NodeId kDestinationNodeId = 111222333; constexpr uint32_t kMessageCounter = 18; -const char PAYLOAD[] = "Hello!"; +const char PAYLOAD[] = "Hello!"; +const char messageSize_TEST[] = "\x00\x00\x00\x00"; class MockTransportMgrDelegate : public chip::TransportMgrDelegate { @@ -633,6 +634,12 @@ TEST_F(TestTCP, CheckProcessReceivedBuffer) TestData testData[2]; gMockTransportMgrDelegate.SetCallback(TestDataCallbackCheck, testData); + // Test a single packet buffer with zero message size. + System::PacketBufferHandle buf = System::PacketBufferHandle::NewWithData(messageSize_TEST, 4); + ASSERT_NE(&buf, nullptr); + err = TestAccess::ProcessReceivedBuffer(tcp, lEndPoint, lPeerAddress, std::move(buf)); + EXPECT_EQ(err, CHIP_NO_ERROR); + // Test a single packet buffer. gMockTransportMgrDelegate.mReceiveHandlerCallCount = 0; EXPECT_TRUE(testData[0].Init((const uint32_t[]){ 111, 0 }));