Fix attribute reads into a large buffer to not read random memory. #4382
Conversation
When reading an attribute value into a large buffer, we would read the number of bytes that can fit in the buffer, not the number of bytes the attribute value actually takes up. This would cause us to read whatever memory came after the attribute value. Also fixes some issues in typeSensitiveMemCopy when trying to read a string-valued attribute into a buffer that's not even big enough to fit the length value of the string. Fixes project-chip#4371
bzbarsky-apple
force-pushed
the
fix-type-sensitive-copy
branch
from
fb6daac to
041988c
Compare
pullapprove
bot
requested review from
andy31415,
BroderickCarlin,
chrisdecenzo,
hawk248,
jelderton,
mspang,
rwalker-apple and
saurabhst
|
Size increase report for "esp32-example-build" from be3279a
Full report output |
|
Size increase report for "nrfconnect-example-build" from be3279a
Full report output |
| uint16_t size = (readLength == 0) ? am->size : readLength; | ||
| // readLength == 0 for a read indicates that we should just trust that the | ||
| // caller has enough space for an attribute... | ||
| bool ignoreReadLength = write || (readLength == 0); |
There was a problem hiding this comment.
why is the caller buffer size ignored when write is set? I would expect at least a min(readLength, am-size) and I think we should log on mismatch to catch logic errors.
Generally I have complains about this method to start with: a buffer length that seems to be only relevant on read (called readLength) but method used on both read and write and a direction parameter when the caller could just have flipped src and destination.
I generally would apply the test 'Can one clearly in one sentence describe what a method does, generally without 'IF' or conditionals?'. I think this method fails hard because it has a 'write' parameter that affects behaviour as well as special conditions for readLength.
Could we fix up this method and make it somehow easier to use?
There was a problem hiding this comment.
why is the caller buffer size ignored when write is set?
Apart from that being the documented behavior of emAfReadOrWriteAttribute and all callers who set write passing 0 for the size? I'm afraid I don't know why the setup is the way it is; that's a question for @selissia or @tecimovic.
Could we fix up this method and make it somehow easier to use?
Yes, we could, and I agree we should. We'd need to audit all consumers to see what they are doing with readLength; the comments suggest that there are legacy consumers that pass 0 for reads as well....
I'm happy to do that, but it might be a few days before I can pull enough time off of spec stuff to do it. I'm happy to land this in the meantime to unblock your ASan changes and do the larger semantic-changing refactoring in a followup, or expand the scope of this PR, as long as you're OK with the corresponding lag. Please let me know.
There was a problem hiding this comment.
created #4394 to track improvement in buffer handling within this code.
Is this generated code? if so, how would one go about on changing the code and updating?
There was a problem hiding this comment.
Just to close the loop on this: this is not generated code.
When reading an attribute value into a large buffer, we would read the
number of bytes that can fit in the buffer, not the number of bytes
the attribute value actually takes up. This would cause us to read
whatever memory came after the attribute value.
Also fixes some issues in typeSensitiveMemCopy when trying to
read a string-valued attribute into a buffer that's not even big
enough to fit the length value of the string.
Fixes #4371
Problem
We end up reading out-of-bounds memory when doing attribute reporting.
Summary of Changes
Fix
typeSensitiveMemCopyto not read memory it should not.