Added malformed message check to nested IE discovery.

Juha Heiskanen · juhhei01 · commit 9e46cf9980bc · 2018-02-02T15:07:20.000+02:00
Change-Id: Ia4ee197107a9e6b8bb8126c8b0b445b121f9f7ef
diff --git a/source/6LoWPAN/MAC/mac_ie_lib.c b/source/6LoWPAN/MAC/mac_ie_lib.c
@@ -26,11 +26,13 @@
 #define MAC_IE_HEADER_ID_MASK 0x7f80
 #define MAC_IE_PAYLOAD_LENGTH_MASK 0x07ff
 #define MAC_IE_PAYLOAD_ID_MASK 0x7800
+#define MAC_IE_TYPE_PAYLOAD_MASK 0x8000
 
 #define MAC_NESTED_LONG_IE_PAYLOAD_LENGTH_MASK 0x07ff
 #define MAC_NESTED_LONG_IE_PAYLOAD_ID_MASK 0x7800
 #define MAC_NESTED_SHORT_IE_PAYLOAD_LENGTH_MASK 0x00ff
 #define MAC_NESTED_SHORT_IE_PAYLOAD_ID_MASK 0x7f00
+#define MAC_NESTED_IE_TYPE_LONG_MASK 0x8000
 
 static void mac_ie_header_parse(mac_header_IE_t *header_element, uint8_t *ptr)
 {
@@ -52,7 +54,7 @@ static void mac_ie_nested_id_parse(mac_nested_payload_IE_t *element, uint8_t *pt
 {
     uint16_t ie_dummy = common_read_16_bit_inverse(ptr);
 
-    if (ie_dummy & 0x8000) {
+    if (ie_dummy & MAC_NESTED_IE_TYPE_LONG_MASK) {
         element->type_long = true;
         element->length = (ie_dummy & MAC_NESTED_LONG_IE_PAYLOAD_LENGTH_MASK);
         element->id = ((ie_dummy & MAC_NESTED_LONG_IE_PAYLOAD_ID_MASK  ) >> 11);
@@ -77,15 +79,15 @@ uint8_t *mac_ie_header_base_write(uint8_t *ptr, uint8_t type, uint16_t length)
 uint8_t *mac_ie_payload_base_write(uint8_t *ptr, uint8_t type, uint16_t length)
 {
 
-    uint16_t ie_dummy = 0x8000; //Payload type
+    uint16_t ie_dummy = MAC_IE_TYPE_PAYLOAD_MASK; //Payload type
     ie_dummy |= (length & MAC_IE_PAYLOAD_LENGTH_MASK);
     ie_dummy |= ((type << 11 ) &  MAC_IE_PAYLOAD_ID_MASK);
     return common_write_16_bit_inverse(ie_dummy, ptr);
 }
 
 uint8_t *mac_ie_nested_ie_long_base_write(uint8_t *ptr, uint8_t sub_id, uint16_t length)
 {
-    uint16_t ie_dummy = 0x8000;
+    uint16_t ie_dummy = MAC_NESTED_IE_TYPE_LONG_MASK;
     ie_dummy |= (length & MAC_NESTED_LONG_IE_PAYLOAD_LENGTH_MASK);
     ie_dummy |= ((sub_id << 11 ) &  MAC_NESTED_LONG_IE_PAYLOAD_ID_MASK);
 
@@ -112,7 +114,7 @@ uint16_t mac_ie_payload_discover(uint8_t *payload_ptr, uint16_t length, mac_payl
             return ie_element.length;
         }
 
-        length -= ie_element.length +2;
+        length -= ie_element.length + 2;
 
         payload_ptr += ie_element.length + 2;
     }
@@ -124,13 +126,18 @@ uint16_t mac_ie_nested_discover(uint8_t *payload_ptr, uint16_t length, mac_neste
     mac_nested_payload_IE_t ie_element;
     while (length >= 2) {
         mac_ie_nested_id_parse(&ie_element, payload_ptr);
+
+        if (length < ie_element.length + 2) {
+            return 0;
+        }
+
         if (nested_ie->id == ie_element.id && nested_ie->type_long == ie_element.type_long) {
             nested_ie->content_ptr = ie_element.content_ptr;
             nested_ie->length = ie_element.length;
             return ie_element.length;
         }
 
-        length -= ie_element.length +2;
+        length -= ie_element.length + 2;
 
         payload_ptr += ie_element.length + 2;
     }
@@ -148,7 +155,7 @@ uint8_t mac_ie_header_discover(uint8_t *header_ptr, uint16_t length, mac_header_
             return ie_element.length;
         }
 
-        length -= ie_element.length +2;
+        length -= ie_element.length + 2;
 
         header_ptr += ie_element.length + 2;
     }
@@ -170,7 +177,7 @@ uint8_t mac_ie_header_sub_id_discover(uint8_t *header_ptr, uint16_t length, mac_
             return ie_element.length;
         }
 
-        length -= ie_element.length +2;
+        length -= ie_element.length + 2;
 
         header_ptr += ie_element.length + 2;
     }
diff --git a/source/6LoWPAN/MAC/mac_ie_lib.h b/source/6LoWPAN/MAC/mac_ie_lib.h
@@ -34,7 +34,7 @@ typedef struct mac_nested_payload_IE_s {
 /** IE header element generic header write */
 uint8_t *mac_ie_header_base_write(uint8_t *ptr, uint8_t type, uint16_t length);
 
-/** IE ayload element generic header write */
+/** IE payload element generic header write */
 uint8_t *mac_ie_payload_base_write(uint8_t *ptr, uint8_t type, uint16_t length);
 
 /** Nested IE long header write */
@@ -46,7 +46,7 @@ uint8_t *mac_ie_nested_ie_short_base_write(uint8_t *ptr, uint8_t sub_id, uint16_
 /** Payload IE discover for spesific group ID */
 uint16_t mac_ie_payload_discover(uint8_t *payload_ptr, uint16_t length, struct mac_payload_IE_s * payload_ie);
 
-/** Nested IE element discover inside parsed payload elemnt */
+/** Nested IE element discover inside parsed payload element */
 uint16_t mac_ie_nested_discover(uint8_t *payload_ptr, uint16_t length, mac_nested_payload_IE_t * nested_ie);
 
 /** Header IE elemnt discover */
diff --git a/test/nanostack/unittest/6lp_mac/mac_ie_lib/test_mac_ie_lib.c b/test/nanostack/unittest/6lp_mac/mac_ie_lib/test_mac_ie_lib.c
@@ -162,6 +162,26 @@ bool test_mac_ie_nested_discover()
         return false;
     }
 
+    common_functions_stub.readuint16_from_queue = 2;
+
+    common_functions_stub.uint16_value_queue[1] = 0x8000 + 7;
+    common_functions_stub.uint16_value_queue[1] |= ((2 << 11 ) &  0x7800);
+    common_functions_stub.uint16_value_queue[0] =  40;
+    common_functions_stub.uint16_value_queue[0] |= ((1 << 8 ) &  0x7f00);
+    if (mac_ie_nested_discover(buffer, 50, &mac_payload_ie)) { //1 byte too short
+        return false;
+    }
+
+    common_functions_stub.readuint16_from_queue = 2;
+
+    common_functions_stub.uint16_value_queue[1] = 0x8000 + 7;
+    common_functions_stub.uint16_value_queue[1] |= ((2 << 11 ) &  0x7800);
+    common_functions_stub.uint16_value_queue[0] =  70;
+    common_functions_stub.uint16_value_queue[0] |= ((1 << 8 ) &  0x7f00);
+    if (mac_ie_nested_discover(buffer, 51, &mac_payload_ie)) { //Plenty off too long
+        return false;
+    }
+
 
     return true;
 }

Original file line number	Diff line number	Diff line change
`@@ -26,11 +26,13 @@`
`26`	`26`	`#define MAC_IE_HEADER_ID_MASK 0x7f80`
`27`	`27`	`#define MAC_IE_PAYLOAD_LENGTH_MASK 0x07ff`
`28`	`28`	`#define MAC_IE_PAYLOAD_ID_MASK 0x7800`
	`29`	`+#define MAC_IE_TYPE_PAYLOAD_MASK 0x8000`
`29`	`30`
`30`	`31`	`#define MAC_NESTED_LONG_IE_PAYLOAD_LENGTH_MASK 0x07ff`
`31`	`32`	`#define MAC_NESTED_LONG_IE_PAYLOAD_ID_MASK 0x7800`
`32`	`33`	`#define MAC_NESTED_SHORT_IE_PAYLOAD_LENGTH_MASK 0x00ff`
`33`	`34`	`#define MAC_NESTED_SHORT_IE_PAYLOAD_ID_MASK 0x7f00`
	`35`	`+#define MAC_NESTED_IE_TYPE_LONG_MASK 0x8000`
`34`	`36`
`35`	`37`	`static void mac_ie_header_parse(mac_header_IE_t header_element, uint8_t ptr)`
`36`	`38`	`{`
`@@ -52,7 +54,7 @@ static void mac_ie_nested_id_parse(mac_nested_payload_IE_t element, uint8_t pt`
`52`	`54`	`{`
`53`	`55`	`uint16_t ie_dummy = common_read_16_bit_inverse(ptr);`
`54`	`56`
`55`		`- if (ie_dummy & 0x8000) {`
	`57`	`+ if (ie_dummy & MAC_NESTED_IE_TYPE_LONG_MASK) {`
`56`	`58`	`element->type_long = true;`
`57`	`59`	`element->length = (ie_dummy & MAC_NESTED_LONG_IE_PAYLOAD_LENGTH_MASK);`
`58`	`60`	`element->id = ((ie_dummy & MAC_NESTED_LONG_IE_PAYLOAD_ID_MASK ) >> 11);`
`@@ -77,15 +79,15 @@ uint8_t mac_ie_header_base_write(uint8_t ptr, uint8_t type, uint16_t length)`
`77`	`79`	`uint8_t mac_ie_payload_base_write(uint8_t ptr, uint8_t type, uint16_t length)`
`78`	`80`	`{`
`79`	`81`
`80`		`- uint16_t ie_dummy = 0x8000; //Payload type`
	`82`	`+ uint16_t ie_dummy = MAC_IE_TYPE_PAYLOAD_MASK; //Payload type`
`81`	`83`	`ie_dummy \|= (length & MAC_IE_PAYLOAD_LENGTH_MASK);`
`82`	`84`	`ie_dummy \|= ((type << 11 ) & MAC_IE_PAYLOAD_ID_MASK);`
`83`	`85`	`return common_write_16_bit_inverse(ie_dummy, ptr);`
`84`	`86`	`}`
`85`	`87`
`86`	`88`	`uint8_t mac_ie_nested_ie_long_base_write(uint8_t ptr, uint8_t sub_id, uint16_t length)`
`87`	`89`	`{`
`88`		`- uint16_t ie_dummy = 0x8000;`
	`90`	`+ uint16_t ie_dummy = MAC_NESTED_IE_TYPE_LONG_MASK;`
`89`	`91`	`ie_dummy \|= (length & MAC_NESTED_LONG_IE_PAYLOAD_LENGTH_MASK);`
`90`	`92`	`ie_dummy \|= ((sub_id << 11 ) & MAC_NESTED_LONG_IE_PAYLOAD_ID_MASK);`
`91`	`93`
`@@ -112,7 +114,7 @@ uint16_t mac_ie_payload_discover(uint8_t *payload_ptr, uint16_t length, mac_payl`
`112`	`114`	`return ie_element.length;`
`113`	`115`	`}`
`114`	`116`
`115`		`- length -= ie_element.length +2;`
	`117`	`+ length -= ie_element.length + 2;`
`116`	`118`
`117`	`119`	`payload_ptr += ie_element.length + 2;`
`118`	`120`	`}`
`@@ -124,13 +126,18 @@ uint16_t mac_ie_nested_discover(uint8_t *payload_ptr, uint16_t length, mac_neste`
`124`	`126`	`mac_nested_payload_IE_t ie_element;`
`125`	`127`	`while (length >= 2) {`
`126`	`128`	`mac_ie_nested_id_parse(&ie_element, payload_ptr);`
	`129`	`+`
	`130`	`+ if (length < ie_element.length + 2) {`
	`131`	`+ return 0;`
	`132`	`+ }`
	`133`	`+`
`127`	`134`	`if (nested_ie->id == ie_element.id && nested_ie->type_long == ie_element.type_long) {`
`128`	`135`	`nested_ie->content_ptr = ie_element.content_ptr;`
`129`	`136`	`nested_ie->length = ie_element.length;`
`130`	`137`	`return ie_element.length;`
`131`	`138`	`}`
`132`	`139`
`133`		`- length -= ie_element.length +2;`
	`140`	`+ length -= ie_element.length + 2;`
`134`	`141`
`135`	`142`	`payload_ptr += ie_element.length + 2;`
`136`	`143`	`}`
`@@ -148,7 +155,7 @@ uint8_t mac_ie_header_discover(uint8_t *header_ptr, uint16_t length, mac_header_`
`148`	`155`	`return ie_element.length;`
`149`	`156`	`}`
`150`	`157`
`151`		`- length -= ie_element.length +2;`
	`158`	`+ length -= ie_element.length + 2;`
`152`	`159`
`153`	`160`	`header_ptr += ie_element.length + 2;`
`154`	`161`	`}`
`@@ -170,7 +177,7 @@ uint8_t mac_ie_header_sub_id_discover(uint8_t *header_ptr, uint16_t length, mac_`
`170`	`177`	`return ie_element.length;`
`171`	`178`	`}`
`172`	`179`
`173`		`- length -= ie_element.length +2;`
	`180`	`+ length -= ie_element.length + 2;`
`174`	`181`
`175`	`182`	`header_ptr += ie_element.length + 2;`
`176`	`183`	`}`