Skip to content

Commit 73a2e18

Browse files
committed
fix(cc/nif): Allocate more space for NIF to unpacking extended cc
Origin: SiliconLabsSoftware#125 Bug-SiliconLabs: UIC-3664 Relate-to: SLVDBBP-3162484 Relate-to: SiliconLabsSoftware/z-wave-engine-application-layer#42 Signed-off-by: Philippe Coval <[email protected]>
1 parent 85e13a7 commit 73a2e18

File tree

2 files changed

+26
-15
lines changed

2 files changed

+26
-15
lines changed

applications/zpc/components/zwave/zwave_controller/src/zwave_controller_utils.c

Lines changed: 16 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -286,11 +286,18 @@ void zwave_command_class_list_unpack(zwave_node_info_t *node_info,
286286
&& (i < ZWAVE_CONTROLLER_MAXIMUM_COMMAND_CLASS_LIST_LENGTH)) {
287287
// Check if it's extended CC format (2 bytes length). Check
288288
// CC:0000.00.00.11.001 for more details
289-
if (((nif[nif_index] & 0xF0) == 0xF0) && (nif_index < nif_length - 1)) {
290-
node_info->command_class_list[i]
291-
= ((nif[nif_index] & 0xFF) << 8) | nif[nif_index + 1];
292-
i++;
293-
nif_index += 2;
289+
if (nif[nif_index] >= 0xF1) { // Belong to extended range
290+
if (nif_index < nif_length - 1) { // Prevent read beyond
291+
node_info->command_class_list[i]
292+
= ((nif[nif_index] & 0xFF) << 8) | nif[nif_index + 1];
293+
i++;
294+
nif_index += 2;
295+
} else {
296+
sl_log_warning(
297+
LOG_TAG,
298+
"warning: zwave_command_class_list_unpack: invalid input: skipping");
299+
assert(false);
300+
}
294301
} else {
295302
node_info->command_class_list[i++] = nif[nif_index++];
296303
}
@@ -303,10 +310,13 @@ void zwave_command_class_list_pack(const zwave_node_info_t *node_info,
303310
uint8_t *nif_length)
304311
{
305312
uint8_t nif_index = 0;
313+
314+
assert(node_info->command_class_list_length
315+
<= ZWAVE_CONTROLLER_MAXIMUM_COMMAND_CLASS_LIST_LENGTH);
306316
for (uint8_t i = 0; i < node_info->command_class_list_length
307317
&& i < ZWAVE_CONTROLLER_MAXIMUM_COMMAND_CLASS_LIST_LENGTH;
308318
i++) {
309-
if (node_info->command_class_list[i] >= 0xF0) {
319+
if (node_info->command_class_list[i] > 0xFF) { // Ext (2 bytes ids)
310320
nif[nif_index++] = node_info->command_class_list[i] >> 8;
311321
nif[nif_index++] = node_info->command_class_list[i];
312322
} else {

applications/zpc/components/zwave_command_classes/src/zwave_command_class_node_info_resolver.c

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -267,8 +267,8 @@ static void on_node_information_update(zwave_node_id_t node_id,
267267
= attribute_store_get_first_child_by_type(endpoint_id_node,
268268
ATTRIBUTE_ZWAVE_NIF);
269269

270-
// Pack the NIF data into a nif array:
271-
uint8_t nif[ZWAVE_CONTROLLER_MAXIMUM_COMMAND_CLASS_LIST_LENGTH];
270+
// Pack the NIF data into a nif array (doubled in case of 2 bytes cc)
271+
uint8_t nif[ZWAVE_CONTROLLER_MAXIMUM_COMMAND_CLASS_LIST_LENGTH * 2];
272272
uint8_t nif_length = 0;
273273
zwave_command_class_list_pack(node_info, nif, &nif_length);
274274

@@ -280,13 +280,14 @@ static void on_node_information_update(zwave_node_id_t node_id,
280280
node_id,
281281
nif,
282282
nif_length)) {
283-
if (nif_length >= ZWAVE_CONTROLLER_MAXIMUM_COMMAND_CLASS_LIST_LENGTH) {
284-
// Overflow, just return and toss the faulty NIF.
285-
return;
286-
}
287-
// Keep S2 in the NIF !
288-
nif[nif_length] = COMMAND_CLASS_SECURITY_2;
289-
nif_length += 1;
283+
if (nif_length < sizeof(nif)) {
284+
// Keep S2 in the NIF !
285+
nif[nif_length] = COMMAND_CLASS_SECURITY_2;
286+
nif_length += 1;
287+
} else {
288+
// Overflow, just return and toss the faulty NIF.
289+
return;
290+
}
290291
}
291292

292293
attribute_store_set_reported(non_secure_nif_node, nif, nif_length);

0 commit comments

Comments
 (0)