fix(zwapi): Prevent injection while refreshing caps

rzr · rzr · commit b63d24cde351 · 2025-06-20T18:20:38.000+02:00
This fix isolated to test the following test (with and without/revert) it. The issue should be detected sooner (before calling zwapi_session_flush_queue) 2025-Jun-20 16:34:15.434395 <E> [zwapi_init] zwapi_refresh_capabilities: invalid supported_bitmask Origin: SiliconLabsSoftware#125 Bug-SiliconLabs: UIC-3664 Relate-to: SLVDBBP-3162484 Relate-to: SiliconLabsSoftware/z-wave-engine-application-layer#42 Signed-off-by: Philippe Coval <philippe.coval@silabs.com>
diff --git a/applications/zpc/components/zwave_api/src/zwapi_init.c b/applications/zpc/components/zwave_api/src/zwapi_init.c
@@ -161,7 +161,7 @@ sl_status_t zwapi_refresh_capabilities(void)
                  "Failed to fetch capabilities from the Z-Wave module\n");
     return capabilities_status;
   }
-  if (response_length > (IDX_DATA + 7)) {
+  if (response_length > (IDX_DATA + 7) && (response_length <= FRAME_LENGTH_MAX)) {
     uint8_t current_index = IDX_DATA;
     chip.version_major    = response_buffer[current_index++];
     chip.version_minor    = response_buffer[current_index++];
@@ -171,9 +171,14 @@ sl_status_t zwapi_refresh_capabilities(void)
     chip.product_type |= response_buffer[current_index++];
     chip.product_id = response_buffer[current_index++] << 8;
     chip.product_id |= response_buffer[current_index++];
+    size_t length = response_length - (current_index - 1);
+    if (length > sizeof(chip.supported_bitmask)) {
+      sl_log_error(LOG_TAG, "zwapi_refresh_capabilities: invalid supported_bitmask\n");
+      return SL_STATUS_FAIL;    
+    }
     memcpy(chip.supported_bitmask,
-           &(response_buffer[current_index]),
-           response_length - (current_index - 1));
+      &(response_buffer[current_index]),
+      length);
   } else {
     return SL_STATUS_FAIL;
   }
