fix(zwapi): Prevent injection while refreshing caps

rzr · rzr · commit 7a0ff983dfc5 · 2025-07-21T17:49:12.000+02:00
This fix isolated to test the following test (with and without/revert) it. The issue should be detected sooner (before calling zwapi_session_flush_queue) 2025-Jun-20 16:34:15.434395 <E> [zwapi_init] zwapi_refresh_capabilities: invalid supported_bitmask By the way, It has been observed that using z-wave-stack-binaries length is clamped from 33 to 31 (this is unexpected, it could be caused by non aligned defs). Origin: SiliconLabsSoftware#126 Relate-to: SiliconLabsSoftware#125 Bug-SiliconLabs: UIC-3664 Relate-to: SLVDBBP-3162484 Relate-to: SiliconLabsSoftware/z-wave-engine-application-layer#42 Signed-off-by: Philippe Coval <philippe.coval@silabs.com>
diff --git a/applications/zpc/components/zwave_api/src/zwapi_init.c b/applications/zpc/components/zwave_api/src/zwapi_init.c
@@ -161,7 +161,8 @@ sl_status_t zwapi_refresh_capabilities(void)
                  "Failed to fetch capabilities from the Z-Wave module\n");
     return capabilities_status;
   }
-  if (response_length > (IDX_DATA + 7)) {
+  if (response_length > (IDX_DATA + 7)
+      && (response_length <= FRAME_LENGTH_MAX)) {
     uint8_t current_index = IDX_DATA;
     chip.version_major    = response_buffer[current_index++];
     chip.version_minor    = response_buffer[current_index++];
@@ -171,9 +172,16 @@ sl_status_t zwapi_refresh_capabilities(void)
     chip.product_type |= response_buffer[current_index++];
     chip.product_id = response_buffer[current_index++] << 8;
     chip.product_id |= response_buffer[current_index++];
-    memcpy(chip.supported_bitmask,
-           &(response_buffer[current_index]),
-           response_length - (current_index - 1));
+    size_t length = response_length - (current_index - 1);
+    if (length > sizeof(chip.supported_bitmask)) {
+      sl_log_warning(
+        LOG_TAG,
+        "zwapi_refresh_capabilities: clamping supported_bitmask response from %d to %d\n",
+        length,
+        sizeof(chip.supported_bitmask));
+      length = sizeof(chip.supported_bitmask);
+    }
+    memcpy(chip.supported_bitmask, &(response_buffer[current_index]), length);
   } else {
     return SL_STATUS_FAIL;
   }
