Verify packet size before accessing checksum
Calculating checksum without verifying that the dataLengthBytes
is correct, could lead to potential security issues. This patch
fixes the issue.
Tested:
Unit tested
Change-Id: I2fa0deea99db7426924f7756a5dcd07e5e49121b
Signed-off-by: Kasun Athukorala <kasunath@google.com>
diff --git a/test/rde_handler_test.cpp b/test/rde_handler_test.cpp
index efc3d31..c13feaa 100644
--- a/test/rde_handler_test.cpp
+++ b/test/rde_handler_test.cpp
@@ -571,6 +571,28 @@
2); // Both dictionaries should now be valid
}
+TEST_F(RdeCommandHandlerTest, MultiPartReceiveResp_HandleCrc_MismatchedSize)
+{
+ // Header will claim 10 bytes of data.
+ MultipartReceiveResHeader header{};
+ header.transferFlag = static_cast<uint8_t>(
+ RdeMultiReceiveTransferFlag::RdeMRecFlagStartAndEnd);
+ header.nextDataTransferHandle = 1; // dummy resource ID
+ header.dataLengthBytes = 10;
+
+ // Create a command that is exactly the size of the header + data, which
+ // means it is missing the 4-byte checksum. This will pass the initial size
+ // check but fail the one in handleCrc.
+ size_t actualSize =
+ sizeof(MultipartReceiveResHeader) + header.dataLengthBytes;
+ std::vector<uint8_t> command(actualSize);
+ memcpy(command.data(), &header, sizeof(header));
+
+ auto status = handler->decodeRdeCommand(
+ command, RdeCommandType::RdeMultiPartReceiveResponse);
+ EXPECT_EQ(status, RdeDecodeStatus::RdeInvalidCommand);
+}
+
/**
* @brief Dummy values for annotation dictionary. We do not need the annotation
* dictionary. So this contains a dictionary with some dummy values. But the RDE