Skip to content

Commit ca1fe7b

Browse files
RC-Repositoriesurutva
authored andcommitted
ota-agent-task: Fix bugs in ota_agent_task.c
This commit fixes usage of memcpy with potentially user-defined inputs, without checking that the buffer could fit these inputs. Signed-off-by: Reuben Cartwright <[email protected]>
1 parent fc9369f commit ca1fe7b

File tree

2 files changed

+32
-12
lines changed

2 files changed

+32
-12
lines changed

components/aws_iot/ota_for_aws_iot_embedded_sdk/integration/src/ota_agent_task.c

+30-12
Original file line numberDiff line numberDiff line change
@@ -470,6 +470,7 @@ STATIC OtaEventData_t * prvOTAEventBufferGet( void )
470470
{
471471
eventBuffer[ ulIndex ].bufferUsed = true;
472472
pFreeBuffer = &eventBuffer[ ulIndex ];
473+
pFreeBuffer->dataLength = sizeof( pFreeBuffer->data );
473474
break;
474475
}
475476
}
@@ -616,13 +617,20 @@ STATIC void prvMqttJobCallback( void * pvIncomingPublishCallbackContext,
616617

617618
if( pData != NULL )
618619
{
619-
memcpy( pData->data, pxPublishInfo->pPayload, pxPublishInfo->payloadLength );
620-
pData->dataLength = pxPublishInfo->payloadLength;
621-
eventMsg.eventId = OtaAgentEventReceivedJobDocument;
622-
eventMsg.pEventData = pData;
620+
if( ( size_t ) pData->dataLength >= pxPublishInfo->payloadLength )
621+
{
622+
memcpy( pData->data, pxPublishInfo->pPayload, pxPublishInfo->payloadLength );
623+
pData->dataLength = pxPublishInfo->payloadLength;
624+
eventMsg.eventId = OtaAgentEventReceivedJobDocument;
625+
eventMsg.pEventData = pData;
623626

624-
/* Send job document received event. */
625-
OTA_SignalEvent( &eventMsg );
627+
/* Send job document received event. */
628+
OTA_SignalEvent( &eventMsg );
629+
}
630+
else
631+
{
632+
LogError( ( "Error: OTA data buffers are too small for the Job message provided.\n" ) );
633+
}
626634
}
627635
else
628636
{
@@ -666,13 +674,20 @@ STATIC void prvMqttDataCallback( void * pvIncomingPublishCallbackContext,
666674

667675
if( pxData != NULL )
668676
{
669-
memcpy( pxData->data, pxPublishInfo->pPayload, pxPublishInfo->payloadLength );
670-
pxData->dataLength = pxPublishInfo->payloadLength;
671-
eventMsg.eventId = OtaAgentEventReceivedFileBlock;
672-
eventMsg.pEventData = pxData;
677+
if( ( size_t ) pxData->dataLength >= pxPublishInfo->payloadLength )
678+
{
679+
memcpy( pxData->data, pxPublishInfo->pPayload, pxPublishInfo->payloadLength );
680+
pxData->dataLength = pxPublishInfo->payloadLength;
681+
eventMsg.eventId = OtaAgentEventReceivedFileBlock;
682+
eventMsg.pEventData = pxData;
673683

674-
/* Send job document received event. */
675-
OTA_SignalEvent( &eventMsg );
684+
/* Send file block received event. */
685+
OTA_SignalEvent( &eventMsg );
686+
}
687+
else
688+
{
689+
LogError( ( "Error: OTA data buffers are too small for the data message received.\n" ) );
690+
}
676691
}
677692
else
678693
{
@@ -762,6 +777,9 @@ STATIC void prvMQTTUnsubscribeCompleteCallback( MQTTAgentCommandContext_t * pxCo
762777
}
763778
}
764779

780+
/*
781+
* Precondition: pTopicFilter is not null.
782+
*/
765783
STATIC OtaMqttStatus_t prvMQTTSubscribe( const char * pTopicFilter,
766784
uint16_t topicFilterLength,
767785
uint8_t ucQoS )

release_changes/202409121339.change

+2
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
aws-iot-unit-test: Add tests for ota_agent_task.c.
2+
ota-agent-task: Debug unsafe memcpy usages in ota_agent_task.c.

0 commit comments

Comments
 (0)