controller: Harden zwave_controller_transport by checking invalid params

rzr · rzr · commit 1685c272b16c · 2025-06-20T18:12:33.000+02:00
This check is theorical because no z-wave frame is expected to be empty ncp should filter this to some extends. The zapi dispatcher is testing frames pointer, so the risk of exploitation is prevented at higher level. Origin: SiliconLabsSoftware#124 Bug-SiliconLabs: UIC-3668 Relate-to: SLVDBBP-3169975 Relate-to: SiliconLabsSoftware/z-wave-engine-application-layer#42 Signed-off-by: Philippe Coval <philippe.coval@silabs.com>
diff --git a/applications/zpc/components/zwave/zwave_controller/src/zwave_controller_callbacks.c b/applications/zpc/components/zwave/zwave_controller/src/zwave_controller_callbacks.c
@@ -318,8 +318,11 @@ void zwave_controller_on_frame_received(
                                       rx_options,
                                       frame_data,
                                       frame_length);
+  } else if (status == SL_STATUS_INVALID_PARAMETER) {
+      sl_log_warning(LOG_TAG,
+                     "zwave_controller_on_frame_received: Invalid params");
   }
-}
+} 
 
 void zwave_controller_on_protocol_cc_encryption_request_received(
   const zwave_node_id_t destination_node_id,
diff --git a/applications/zpc/components/zwave/zwave_controller/src/zwave_controller_transport.c b/applications/zpc/components/zwave/zwave_controller/src/zwave_controller_transport.c
@@ -15,6 +15,7 @@
 #include "zwave_controller_transport_internal.h"
 
 // Generic includes
+#include <assert.h>
 #include <string.h>
 
 // ZPC includes
@@ -105,6 +106,11 @@ sl_status_t zwave_controller_transport_on_frame_received(
   uint16_t frame_length)
 {
   const zwave_controller_transport_t *t;
+  assert(frame_data);
+  assert(frame_length >= 1);
+  if (!frame_data || frame_length < 1) {
+    return (SL_STATUS_INVALID_PARAMETER);
+  }
   t = get_transport_by_class(frame_data[0]);
 
   // Do we support this, we decode this only based of the command class
@@ -165,4 +171,4 @@ sl_status_t
     }
   }
   return SL_STATUS_NOT_FOUND;
-}
+}
diff --git a/applications/zpc/components/zwave/zwave_controller/src/zwave_controller_transport_internal.h b/applications/zpc/components/zwave/zwave_controller/src/zwave_controller_transport_internal.h
@@ -37,8 +37,10 @@ extern "C" {
  * @param rx_options      Receive specific information
  * @param frame_data      Pointer to de-encapsulated data
  * @param frame_length    Length of data
- * @return SL_STATUS_NOT_FOUND if no handler was found. Otherwise the status if
- * the executed hander list returned
+ * @return
+ * SL_STATUS_NOT_FOUND if no handler was found.
+ * SL_STATUS_INVALID_PARAMETER on invalid frames
+ * Otherwise the status if the executed hander list returned
  */
 sl_status_t zwave_controller_transport_on_frame_received(
     const zwave_controller_connection_info_t *connection_info,
