[OTA] Use-after-free in OTAProviderExample::HandleQueryImage (#17965)

project-chip · Nov 8, 2023 · 9d52492 · 9d52492
1 parent faeb490
commit 9d52492
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 7 deletions.
diff --git a/examples/ota-provider-app/ota-provider-common/OTAProviderExample.cpp b/examples/ota-provider-app/ota-provider-common/OTAProviderExample.cpp
@@ -123,8 +123,9 @@ void OTAProviderExample::SetOTACandidates(std::vector<OTAProviderExample::Device
  // Validate that each candidate matches the info in the image header
  for (auto candidate : mCandidates)
  {
+ OTAImageHeaderParser parser;
  OTAImageHeader header;
- ParseOTAHeader(candidate.otaURL, header);
+ ParseOTAHeader(parser, candidate.otaURL, header);
 
  ChipLogDetail(SoftwareUpdate, "Validating image list candidate %s: ", candidate.otaURL);
  VerifyOrDie(candidate.vendorId == header.mVendorId);
@@ -141,6 +142,7 @@ void OTAProviderExample::SetOTACandidates(std::vector<OTAProviderExample::Device
  {
  VerifyOrDie(candidate.maxApplicableSoftwareVersion == header.mMaxApplicableVersion.Value());
  }
+ parser.Clear();
  }
 }
 
@@ -190,9 +192,8 @@ UserConsentSubject OTAProviderExample::GetUserConsentSubject(const app::CommandH
  return subject;
 }
 
-bool OTAProviderExample::ParseOTAHeader(const char * otaFilePath, OTAImageHeader & header)
+bool OTAProviderExample::ParseOTAHeader(OTAImageHeaderParser & parser, const char * otaFilePath, OTAImageHeader & header)
 {
- OTAImageHeaderParser parser;
  uint8_t otaFileContent[kOtaHeaderMaxSize];
  ByteSpan buffer(otaFileContent);
 
@@ -223,8 +224,6 @@ bool OTAProviderExample::ParseOTAHeader(const char * otaFilePath, OTAImageHeader
  return false;
  }
 
- parser.Clear();
-
  return true;
 }
 
@@ -348,11 +347,13 @@ void OTAProviderExample::HandleQueryImage(app::CommandHandler * commandObj, cons
  else if (strlen(mOTAFilePath) > 0) // If OTA file is directly provided
  {
  // Parse the header and set version info based on the header
+ OTAImageHeaderParser parser;
  OTAImageHeader header;
- VerifyOrDie(ParseOTAHeader(mOTAFilePath, header) == true);
+ VerifyOrDie(ParseOTAHeader(parser, mOTAFilePath, header) == true);
  VerifyOrDie(sizeof(mSoftwareVersionString) > header.mSoftwareVersionString.size());
  mSoftwareVersion = header.mSoftwareVersion;
  memcpy(mSoftwareVersionString, header.mSoftwareVersionString.data(), header.mSoftwareVersionString.size());
+ parser.Clear();
  }
 
  // If mUserConsentNeeded (set by the CLI) is true and requestor is capable of taking user consent

diff --git a/examples/ota-provider-app/ota-provider-common/OTAProviderExample.h b/examples/ota-provider-app/ota-provider-common/OTAProviderExample.h
@@ -94,7 +94,7 @@ class OTAProviderExample : public chip::app::Clusters::OTAProviderDelegate
  const chip::app::Clusters::OtaSoftwareUpdateProvider::Commands::QueryImage::DecodableType & commandData,
  uint32_t targetVersion);
 
- bool ParseOTAHeader(const char * otaFilePath, chip::OTAImageHeader & header);
+ bool ParseOTAHeader(chip::OTAImageHeaderParser & parser, const char * otaFilePath, chip::OTAImageHeader & header);
 
  /**
  * Called to send the response for a QueryImage command. If an error is encountered, an error status will be sent.