Skip to content

Reject zero-length TCP messages to prevent connection slot abuse (backport #71942)#72383

Open
mergify[bot] wants to merge 1 commit into
v1.4.2-branchfrom
mergify/bp/v1.4.2-branch/pr-71942
Open

Reject zero-length TCP messages to prevent connection slot abuse (backport #71942)#72383
mergify[bot] wants to merge 1 commit into
v1.4.2-branchfrom
mergify/bp/v1.4.2-branch/pr-71942

Conversation

@mergify
Copy link
Copy Markdown
Contributor

@mergify mergify Bot commented Jun 3, 2026

Summary

  • Reject zero-length TCP messages (4-byte length prefix of all zeros) instead of silently accepting them
  • Previously, zero-length messages were treated as valid keepalives, allowing an attacker to hold all TCP connection slots (default: 4) indefinitely with minimal bandwidth (4 bytes per probe)
  • No valid Matter message has zero payload length, so this is safe to reject
  • Connection is closed with CHIP_ERROR_INVALID_MESSAGE_LENGTH on receipt of a zero-length message

Testing

  • The existing test CheckProcessReceivedBuffer in src/transport/raw/tests/TestTCP.cpp sends a zero-length message (messageSize_TEST) and expects CHIP_NO_ERROR — this test will need to be updated to expect CHIP_ERROR_INVALID_MESSAGE_LENGTH and connection closure
  • The change is intentionally breaking for any peer sending zero-length TCP messages, which is not a valid Matter behavior

🤖 Generated with Claude Code

This is an automatic backport of pull request #71942 done by Mergify.

@woody-apple @claude
@robszewczyk @mergify
Reject zero-length TCP messages to prevent connection slot abuse (#71942
584118b 
)

* Reject zero-length TCP messages to prevent connection slot abuse

Zero-length messages (4-byte header of all zeros) were silently
accepted as valid, keeping the connection alive. An attacker could
hold all TCP connection slots (default: 4) indefinitely by sending
just 4 zero bytes per probe, blocking legitimate CASE sessions.

Reject zero-length messages and close the connection, since no valid
Matter message has zero payload length.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Address review: remove redundant CloseConnectionInternal, fix test

- Remove explicit CloseConnectionInternal call since the caller
  (OnDataReceived) already handles connection closure on error return
- Update test to expect CHIP_ERROR_INVALID_MESSAGE_LENGTH for
  zero-length messages

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Retrigger CI (REPL timeout)

* Retrigger CI

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Robert Szewczyk <szewczyk@google.com>
(cherry picked from commit 0e0a4aa)
@mergify mergify Bot added the backport-v1.4.2-branch Backport PR targeting v1.4.2-branch, created by Mergify label Jun 3, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jun 3, 2026

PR #72383: Size comparison from 09d0453 to 584118b

Full report (45 builds for bl602, bl702, bl702l, cc13x4_26x4, cc32xx, cyw30739, nrfconnect, psoc6, qpg, stm32, telink, tizen)
platform target config section 09d0453 584118b change % change
bl602 lighting-app bl602+mfd+littlefs+rpc FLASH 1103512 1103512 0 0.0
RAM 179034 179034 0 0.0
bl702 lighting-app bl702+eth FLASH 656910 656910 0 0.0
RAM 135001 135001 0 0.0
bl702+wifi FLASH 834102 834102 0 0.0
RAM 124541 124541 0 0.0
bl706+mfd+rpc+littlefs FLASH 1066760 1066760 0 0.0
RAM 117405 117405 0 0.0
bl702l contact-sensor-app bl702l+mfd+littlefs FLASH 897012 897012 0 0.0
RAM 105716 105716 0 0.0
lighting-app bl702l+mfd+littlefs FLASH 980024 980024 0 0.0
RAM 109892 109892 0 0.0
cc13x4_26x4 lighting-app LP_EM_CC1354P10_6 FLASH 764852 764852 0 0.0
RAM 103376 103376 0 0.0
lock-ftd LP_EM_CC1354P10_6 FLASH 776656 776656 0 0.0
RAM 108560 108560 0 0.0
pump-app LP_EM_CC1354P10_6 FLASH 722620 722620 0 0.0
RAM 96948 96948 0 0.0
pump-controller-app LP_EM_CC1354P10_6 FLASH 706912 706912 0 0.0
RAM 97156 97156 0 0.0
cc32xx air-purifier CC3235SF_LAUNCHXL FLASH 550146 550222 76 0.0
RAM 205176 205176 0 0.0
lock CC3235SF_LAUNCHXL FLASH 583386 583462 76 0.0
RAM 205384 205384 0 0.0
cyw30739 light CYW30739B2-P5-EVK-01 unknown 2040 2040 0 0.0
FLASH 664281 664281 0 0.0
RAM 77480 77480 0 0.0
light-switch CYW30739B2-P5-EVK-01 unknown 2040 2040 0 0.0
FLASH 625837 625837 0 0.0
RAM 73800 73800 0 0.0
lock CYW30739B2-P5-EVK-01 unknown 2040 2040 0 0.0
FLASH 646809 646809 0 0.0
RAM 76800 76800 0 0.0
thermostat CYW30739B2-P5-EVK-01 unknown 2040 2040 0 0.0
FLASH 621353 621353 0 0.0
RAM 70904 70904 0 0.0
light CYW30739B2-P5-EVK-02 unknown 2040 2040 0 0.0
FLASH 684125 684125 0 0.0
RAM 80120 80120 0 0.0
light-switch CYW30739B2-P5-EVK-02 unknown 2040 2040 0 0.0
FLASH 645465 645465 0 0.0
RAM 76352 76352 0 0.0
lock CYW30739B2-P5-EVK-02 unknown 2040 2040 0 0.0
FLASH 666525 666525 0 0.0
RAM 79352 79352 0 0.0
thermostat CYW30739B2-P5-EVK-02 unknown 2040 2040 0 0.0
FLASH 641197 641197 0 0.0
RAM 73536 73536 0 0.0
light CYW30739B2-P5-EVK-03 unknown 2040 2040 0 0.0
FLASH 684125 684125 0 0.0
RAM 80120 80120 0 0.0
light-switch CYW30739B2-P5-EVK-03 unknown 2040 2040 0 0.0
FLASH 645465 645465 0 0.0
RAM 76352 76352 0 0.0
lock CYW30739B2-P5-EVK-03 unknown 2040 2040 0 0.0
FLASH 666525 666525 0 0.0
RAM 79352 79352 0 0.0
thermostat CYW30739B2-P5-EVK-03 unknown 2040 2040 0 0.0
FLASH 641197 641197 0 0.0
RAM 73536 73536 0 0.0
light CYW930739M2EVB-02 unknown 2040 2040 0 0.0
FLASH 641073 641073 0 0.0
RAM 72548 72548 0 0.0
nrfconnect all-clusters-app nrf52840dk_nrf52840 FLASH 916480 916480 0 0.0
RAM 167458 167458 0 0.0
all-clusters-minimal-app nrf52840dk_nrf52840 FLASH 859992 859992 0 0.0
RAM 141065 141065 0 0.0
all-clusters-app nrf7002dk_nrf5340_cpuapp FLASH 914452 914452 0 0.0
RAM 145676 145676 0 0.0
psoc6 all-clusters cy8ckit_062s2_43012 FLASH 1674508 1674564 56 0.0
RAM 212456 212456 0 0.0
all-clusters-minimal cy8ckit_062s2_43012 FLASH 1577724 1577780 56 0.0
RAM 208504 208504 0 0.0
light cy8ckit_062s2_43012 FLASH 1450284 1450340 56 0.0
RAM 197224 197224 0 0.0
lock cy8ckit_062s2_43012 FLASH 1482820 1482892 72 0.0
RAM 224960 224960 0 0.0
qpg lighting-app qpg6200+debug FLASH 745088 745088 0 0.0
RAM 94228 94228 0 0.0
lock-app qpg6200+debug FLASH 755044 755044 0 0.0
RAM 94264 94264 0 0.0
stm32 light STM32WB5MM-DK FLASH 466512 466512 0 0.0
RAM 141376 141376 0 0.0
telink light-app-ota-compress-lzma-shell-factory-data tl3218x FLASH 795304 795304 0 0.0
RAM 44032 44032 0 0.0
light-switch-app-ota-factory-data tl3218x_retention FLASH 724500 724500 0 0.0
RAM 37024 37024 0 0.0
bridge-app tl7218x FLASH 703582 703582 0 0.0
RAM 93616 93616 0 0.0
light-app-ota-shell-factory-data tl7218x FLASH 783712 783712 0 0.0
RAM 100928 100928 0 0.0
light-switch-app-ota-compress-lzma-factory-data tl7218x_retention FLASH 711186 711186 0 0.0
RAM 54268 54268 0 0.0
lighting-app-ota-factory-data tlsr9118bdk40d FLASH 603866 603866 0 0.0
RAM 112548 112548 0 0.0
lighting-app-ota-rpc-factory-data-4mb tlsr9518adk80d FLASH 819290 819290 0 0.0
RAM 99180 99180 0 0.0
light-switch-app-ota-compress-lzma-shell-factory-data tlsr9528a FLASH 747760 747760 0 0.0
RAM 77424 77424 0 0.0
tizen all-clusters-app arm unknown 5308 5308 0 0.0
FLASH 1822368 1822452 84 0.0
RAM 97556 97556 0 0.0
chip-tool-ubsan arm unknown 20700 20700 0 0.0
FLASH 20976754 20976842 88 0.0
RAM 9131396 9131396 0 0.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

backport-v1.4.2-branch Backport PR targeting v1.4.2-branch, created by Mergify transport

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@woody-apple