-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix Null Pointer Dereference in TCP Packet Handling #36751
Fix Null Pointer Dereference in TCP Packet Handling #36751
Conversation
PR #36751: Size comparison from 9e671ad to 404db44 Full report (69 builds for bl602, bl702, bl702l, cc13x4_26x4, cc32xx, cyw30739, efr32, esp32, linux, nrfconnect, nxp, psoc6, qpg, stm32, telink, tizen)
|
PR #36751: Size comparison from 5d42d92 to 6bfe4f5 Full report (69 builds for bl602, bl702, bl702l, cc13x4_26x4, cc32xx, cyw30739, efr32, esp32, linux, nrfconnect, nxp, psoc6, qpg, stm32, telink, tizen)
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The Testing
section here seems to contain a "manual" entry. Please add more details (how does one test with "malformed packets" to reproduce the test) and add a justification why automated testing of this code is impossible.
We are intentionally trying to make the "manually tested" threshold high to avoid PRs being marked as "manually tested" because it is easier to do so.
Since this is a "Processed buffer" call, it does seem that this could be unit tested.
6bfe4f5
to
f494cd9
Compare
Thanks. I have added a new test in TestTCP.cpp to validate the behavior with malformed packets. Let me know if further modifications are needed. |
PR #36751: Size comparison from 4e44586 to cca52cd Full report (69 builds for bl602, bl702, bl702l, cc13x4_26x4, cc32xx, cyw30739, efr32, esp32, linux, nrfconnect, nxp, psoc6, qpg, stm32, telink, tizen)
|
@BoB13-Matter this may need more fixes. Test fails on linux:
|
PR #36751: Size comparison from 4e44586 to d9316a2 Full report (69 builds for bl602, bl702, bl702l, cc13x4_26x4, cc32xx, cyw30739, efr32, esp32, linux, nrfconnect, nxp, psoc6, qpg, stm32, telink, tizen)
|
ea24315
to
d9316a2
Compare
PR #36751: Size comparison from 3314bc3 to 65bde58 Full report (54 builds for bl602, bl702, bl702l, cc13x4_26x4, cc32xx, cyw30739, efr32, esp32, linux, nrfconnect, nxp, psoc6, qpg, stm32, telink, tizen)
|
65bde58
to
042819f
Compare
PR #36751: Size comparison from b0d0614 to 042819f Full report (69 builds for bl602, bl702, bl702l, cc13x4_26x4, cc32xx, cyw30739, efr32, esp32, linux, nrfconnect, nxp, psoc6, qpg, stm32, telink, tizen)
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you!
Description
This PR fixes #36750 a null pointer dereference in
TCPBase::ProcessSingleMessage
caused by malformed TCP packets. The issue could lead to a Denial of Service (DoS) attack.Changes
Added a null pointer validation for
state->mReceived
before callingProcessSingleMessage
.This change prevents crash and print error log:
Testing
onoff on 1 1 --allow-large-payload 1
)