Verify packet size before accessing checksum
Calculating checksum without verifying that the dataLengthBytes
is correct, could lead to potential security issues. This patch
fixes the issue.
Tested:
Unit tested
Change-Id: I2fa0deea99db7426924f7756a5dcd07e5e49121b
Signed-off-by: Kasun Athukorala <kasunath@google.com>
diff --git a/src/rde/rde_handler.cpp b/src/rde/rde_handler.cpp
index 2bd377a..1752ad9 100644
--- a/src/rde/rde_handler.cpp
+++ b/src/rde/rde_handler.cpp
@@ -241,6 +241,19 @@
const MultipartReceiveResHeader* header =
reinterpret_cast<const MultipartReceiveResHeader*>(
multiReceiveRespCmd.data());
+
+ // Validate that the total message size (header + data + checksum) does not
+ // exceed the actual size of the received buffer.
+ size_t expectedSize = sizeof(MultipartReceiveResHeader) +
+ header->dataLengthBytes + sizeof(uint32_t);
+ if (expectedSize != multiReceiveRespCmd.size())
+ {
+ stdplus::print(
+ stderr,
+ "Corruption detected: Invalid dataLengthBytes in header or not enough bytes for checksum.\n");
+ return RdeDecodeStatus::RdeInvalidCommand;
+ }
+
const uint8_t* checksumPtr =
multiReceiveRespCmd.data() + sizeof(MultipartReceiveResHeader) +
header->dataLengthBytes;