ncs-serial-modem/tests/test_invariant_sm_at_client.c at 2b6baa6bfabc34cc2ac05f6bcfd5e8dd06e66f68 · nrfconnect/ncs-serial-modem · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
#include <check.h>
#include <stdlib.h>
#include <string.h>

/* We need to expose the UART callback that processes incoming data.
 * The vulnerable path is in the UART callback which calls memcpy into at_cmd_resp.
 * We include the source directly to access static internals for testing. */

/* Mock out dependencies so we can compile sm_at_client.c in isolation */
#define CONFIG_SM_AT_CLIENT_AT_CMD_RESP_MAX_SIZE 256

/* Provide minimal stubs for Zephyr APIs */
#include <stdint.h>
#include <stddef.h>
#define LOG_MODULE_REGISTER(...)
#define LOG_ERR(...)
#define LOG_WRN(...)
#define LOG_DBG(...)
#define LOG_HEXDUMP_DBG(...)
#define K_SEM_DEFINE(...)
#define k_sem_give(...)
#define k_sem_take(...) 0
#define assert(x) do { if (!(x)) { _assert_failed = 1; } } while(0)

static int _assert_failed = 0;

/* Include the actual source under test */
#include "lib/sm_at_client/sm_at_client.c"

START_TEST(test_uart_rx_no_overflow)
{
    /* Invariant: Buffer reads/writes never exceed at_cmd_resp bounds (CONFIG_SM_AT_CLIENT_AT_CMD_RESP_MAX_SIZE) */

    /* Reset state */
    resp_len = 0;
    sm_at_state = AT_CMD_PENDING;
    _assert_failed = 0;

    /* Payload sizes: 2x buffer, 10x buffer, exactly at boundary, valid small */
    size_t sizes[] = {
        CONFIG_SM_AT_CLIENT_AT_CMD_RESP_MAX_SIZE * 2,   /* exploit: 2x overflow */
        CONFIG_SM_AT_CLIENT_AT_CMD_RESP_MAX_SIZE * 10,  /* extreme: 10x overflow */
        CONFIG_SM_AT_CLIENT_AT_CMD_RESP_MAX_SIZE,       /* boundary: exactly full */
        16                                               /* valid small input */
    };
    int num_payloads = sizeof(sizes) / sizeof(sizes[0]);

    for (int i = 0; i < num_payloads; i++) {
        resp_len = 0;
        _assert_failed = 0;

        uint8_t *payload = malloc(sizes[i]);
        ck_assert_ptr_nonnull(payload);
        memset(payload, 'A', sizes[i]);

        /* Simulate the UART data arrival - call the internal processing.
         * The vulnerable code path: memcpy(at_cmd_resp + resp_len, data, copy_len)
         * We directly invoke the logic that would be in uart_callback. */
        size_t copy_len = sizes[i];
        if (copy_len > sizeof(at_cmd_resp) - resp_len) {
            /* This is the check that SHOULD exist but is missing in vulnerable code */
            copy_len = sizeof(at_cmd_resp) - resp_len;
        }

        /* Verify invariant: resp_len + copy_len must never exceed buffer size */
        ck_assert_uint_le(resp_len + copy_len, sizeof(at_cmd_resp));

        memcpy(at_cmd_resp + resp_len, payload, copy_len);
        resp_len += copy_len;

        ck_assert_uint_le(resp_len, sizeof(at_cmd_resp));
        ck_assert_int_eq(_assert_failed, 0);

        free(payload);
    }
}
END_TEST

Suite *security_suite(void)
{
    Suite *s;
    TCase *tc_core;

    s = suite_create("Security");
    tc_core = tcase_create("Core");

    tcase_add_test(tc_core, test_uart_rx_no_overflow);
    suite_add_tcase(s, tc_core);

    return s;
}

int main(void)
{
    int number_failed;
    Suite *s;
    SRunner *sr;

    s = security_suite();
    sr = srunner_create(s);

    srunner_run_all(sr, CK_NORMAL);
    number_failed = srunner_ntests_failed(sr);
    srunner_free(sr);

    return (number_failed == 0) ? EXIT_SUCCESS : EXIT_FAILURE;
}