Commit 1f8d922
authored
[spi-hdlc-adapter] validate RCP frame lengths against the MTU (openthread#13206)
The slave (RCP) controls the `data_len` and `accept_len` fields of the SPI
header. Both carry a payload length that excludes the 5-byte header, as
shown by `sMTU = MAX_FRAME_SIZE - HEADER_LEN`, so the largest valid value
is the MTU, `MAX_FRAME_SIZE - HEADER_LEN`.
The two sanity checks in `push_pull_spi()` only rejected values greater
than `MAX_FRAME_SIZE`, allowing an RCP to advertise a length in the range
(MAX_FRAME_SIZE - HEADER_LEN, MAX_FRAME_SIZE]. That value flows into
`spi_xfer_bytes`, and `do_spi_xfer()` then transfers
`spi_xfer_bytes + HEADER_LEN + sSpiRxAlignAllowance` bytes into
`sSpiRxFrameBuffer` / `sSpiTxFrameBuffer`. Those buffers are sized
`MAX_FRAME_SIZE + SPI_RX_ALIGN_ALLOWANCE_MAX`, so the extra HEADER_LEN
added by the transfer can write up to 5 bytes past the end of both.
Clamp both checks to `MAX_FRAME_SIZE - HEADER_LEN` so the advertised
payload plus the header always fits within the existing buffers.1 parent 5e68d00 commit 1f8d922
1 file changed
Lines changed: 5 additions & 4 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
531 | 531 | | |
532 | 532 | | |
533 | 533 | | |
534 | | - | |
535 | | - | |
| 534 | + | |
| 535 | + | |
| 536 | + | |
536 | 537 | | |
537 | 538 | | |
538 | 539 | | |
| |||
630 | 631 | | |
631 | 632 | | |
632 | 633 | | |
633 | | - | |
634 | | - | |
| 634 | + | |
| 635 | + | |
635 | 636 | | |
636 | 637 | | |
637 | 638 | | |
| |||
0 commit comments