net: openthread: rpc: handle NULL service subtype array

Damian-Nordic · maciejbaczmanski · commit 20a48098b3ed · 2025-03-26T11:57:07.000+01:00
The subtype array provided to otSrpClientAddService can
be NULL but the RPC client would try to always access
the array.

Signed-off-by: Damian Krolik &lt;damian.krolik@nordicsemi.no&gt;
diff --git a/subsys/net/openthread/rpc/client/ot_rpc_srp_client.c b/subsys/net/openthread/rpc/client/ot_rpc_srp_client.c
@@ -54,9 +54,11 @@ static void calc_subtypes_space(const char *const *subtypes, size_t *out_count,
 	size_t count = 0;
 	size_t cbor_size = 0;
 
-	for (; *subtypes; ++subtypes) {
-		++count;
-		cbor_size += 2 + strlen(*subtypes);
+	if (subtypes) {
+		for (; *subtypes; ++subtypes) {
+			++count;
+			cbor_size += 2 + strlen(*subtypes);
+		}
 	}
 
 	*out_count = count;
@@ -176,10 +178,15 @@ otError otSrpClientAddService(otInstance *aInstance, otSrpClientService *aServic
 	calc_txt_space(aService->mTxtEntries, aService->mNumTxtEntries, &txt_size);
 
 	cbor_buffer_size = 1 + sizeof(uintptr_t); /* Service pointer */
+	cbor_buffer_size += 1 + sizeof(num_subtypes);
+	cbor_buffer_size += 1 + sizeof(aService->mNumTxtEntries);
+	cbor_buffer_size += 1 + sizeof(name_len + instance_len + 2);
+	cbor_buffer_size += 1 + sizeof(subtypes_size);
+	cbor_buffer_size += 1 + sizeof(txt_size);
 	cbor_buffer_size += 2 + name_len;
 	cbor_buffer_size += 2 + instance_len;
-	cbor_buffer_size += 1 + subtypes_size; /* Array of service subtypes */
-	cbor_buffer_size += 1 + txt_size;      /* Map of TXT entries */
+	cbor_buffer_size += 2 + subtypes_size; /* Array of service subtypes */
+	cbor_buffer_size += 2 + txt_size;      /* Map of TXT entries */
 	cbor_buffer_size += 1 + sizeof(aService->mPort);
 	cbor_buffer_size += 1 + sizeof(aService->mPriority);
 	cbor_buffer_size += 1 + sizeof(aService->mWeight);
@@ -199,8 +206,11 @@ otError otSrpClientAddService(otInstance *aInstance, otSrpClientService *aServic
 
 	zcbor_list_start_encode(ctx.zs, num_subtypes);
 
-	for (const char *const *subtype = aService->mSubTypeLabels; *subtype != NULL; ++subtype) {
-		nrf_rpc_encode_str(&ctx, *subtype, -1);
+	if (aService->mSubTypeLabels != NULL) {
+		for (const char *const *subtype = aService->mSubTypeLabels; *subtype != NULL;
+		     ++subtype) {
+			nrf_rpc_encode_str(&ctx, *subtype, -1);
+		}
 	}
 
 	zcbor_list_end_encode(ctx.zs, num_subtypes);
diff --git a/tests/subsys/net/openthread/rpc/client/src/srp_client_suite.c b/tests/subsys/net/openthread/rpc/client/src/srp_client_suite.c
@@ -51,6 +51,36 @@
  * with indefinite lengths, which is true unless ZCBOR_CANONICAL Kconfig is not selected.
  */
 
+/* clang-format off */
+#define CBOR_SERVICE_MIN \
+	/* Subtypes num: */ \
+	0x0, \
+	/* TXT entry count: */ \
+	0x0, \
+	/* String buffer size (service + instance): */ \
+	0xb, \
+	/* Subtypes' buffer size: */ \
+	0x0, \
+	/* TXT buffer size: */ \
+	0x0, \
+	/* Service type: */ \
+	0x65, SERVICE_TYPE, \
+	/* Service instance: */ \
+	0x64, SERVICE_INSTANCE, \
+	/* Subtypes: */ \
+	0x9f, \
+	0xff, \
+	/* TXT: */ \
+	0xbf, \
+	0xff, \
+	/* Other fields: */ \
+	CBOR_UINT16(PORT_1), \
+	CBOR_UINT16(SERVICE_PRIORITY), \
+	CBOR_UINT16(SERVICE_WEIGHT), \
+	CBOR_UINT32(SERVICE_LEASE), \
+	CBOR_UINT32(SERVICE_KEY_LEASE)
+/* clang-format on */
+
 /* clang-format off */
 #define CBOR_SERVICE \
 	/* Subtypes num: */ \
@@ -118,6 +148,33 @@ static void tc_after(void *f)
 	mock_nrf_rpc_tr_expect_done();
 }
 
+/* Test serialization of otSrpClientAddService() with the minimal service data */
+ZTEST(ot_rpc_srp_client, test_otSrpClientAddService_min)
+{
+	otError error;
+	otSrpClientService service;
+
+	service.mName = MAKE_CSTR(SERVICE_TYPE);
+	service.mInstanceName = MAKE_CSTR(SERVICE_INSTANCE);
+	service.mSubTypeLabels = NULL;
+	service.mTxtEntries = NULL;
+	service.mPort = PORT_1;
+	service.mPriority = SERVICE_PRIORITY;
+	service.mWeight = SERVICE_WEIGHT;
+	service.mNumTxtEntries = 0;
+	service.mLease = SERVICE_LEASE;
+	service.mKeyLease = SERVICE_KEY_LEASE;
+
+	/* Test serialization of otSrpClientAddService() */
+	mock_nrf_rpc_tr_expect_add(RPC_CMD(OT_RPC_CMD_SRP_CLIENT_ADD_SERVICE,
+					   CBOR_UINT32((uintptr_t)&service), CBOR_SERVICE_MIN),
+				   RPC_RSP(OT_ERROR_NONE));
+	error = otSrpClientAddService(NULL, &service);
+	mock_nrf_rpc_tr_expect_done();
+
+	zassert_equal(error, OT_ERROR_NONE);
+}
+
 /* Test serialization of otSrpClientAddService() followed by otSrpClientClearService() */
 ZTEST(ot_rpc_srp_client, test_otSrpClientAddService_otSrpClientClearService)
 {
