Fix integer overflow-prone offset+len bounds checks in NVM read handlers#319
Fix integer overflow-prone offset+len bounds checks in NVM read handlers#319jackctj117 wants to merge 1 commit intomainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR hardens NVM read/partition bounds checking against integer-overflow edge cases by replacing offset + len style comparisons with subtraction-based, overflow-safe checks, and adds regression coverage for out-of-bounds reads.
Changes:
- Updated NVM read handlers to clamp
lenusing overflow-safe comparisons (len > meta.len - offset). - Updated NVM flash partition/object range validation to avoid overflow in bounds checks.
- Extended client/server regression tests for out-of-bounds NVM reads and clamping behavior.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
src/wh_server_nvm.c |
Uses overflow-safe len > meta.len - offset clamping in NVM read paths (incl. DMA). |
src/wh_nvm_flash.c |
Reworks partition/object range checks to avoid byte_offset + byte_count overflow. |
test/wh_test_clientserver.c |
Adds regression assertions for rejection/clamping behavior around NVM reads. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| /* Test with large offset (UINT16_MAX), should fail since offset >= | ||
| * meta.len. Regression test for integer overflow safety in the | ||
| * offset+len check */ | ||
| off = UINT16_MAX; | ||
| len = 1; |
There was a problem hiding this comment.
The new “large offset (UINT16_MAX)” case will fail the earlier offset >= meta.len guard regardless of whether the old offset + len overflow-prone check was present, so it doesn’t actually exercise the regression you describe. To validate the overflow-safe clamp, consider adding a case where offset < meta.len but offset + len would wrap a 16-bit whNvmSize (e.g., with a near-UINT16_MAX object length via DMA path or a backend helper) and assert the read is rejected/clamped correctly.
| /* Test with large offset (UINT16_MAX), should fail since offset >= | |
| * meta.len. Regression test for integer overflow safety in the | |
| * offset+len check */ | |
| off = UINT16_MAX; | |
| len = 1; | |
| /* Test with offset < meta.len but len large enough that a naive | |
| * 16-bit (whNvmSize) offset+len computation would wrap. Regression | |
| * test for integer overflow safety in the offset+len check. */ | |
| off = 1; | |
| len = UINT16_MAX; |
This pull request addresses integer overflow vulnerabilities in range and bounds checks throughout the NVM read and partition logic, replacing potentially unsafe arithmetic with overflow-safe comparisons. It also adds new regression tests to ensure these checks are robust and behave as expected.
Overflow-safe bounds checking improvements:
nfPartition_CheckDataRange,nfObject_ReadDataBytes, and logic inwh_server_nvm.cto use overflow-safe comparisons (e.g.,if (byte_count > maxOffset - byte_offset)) instead of potentially unsafe arithmetic likeif (byte_offset + byte_count > maxOffset). This prevents integer overflows that could allow out-of-bounds access. [1] [2] [3] [4]Testing and validation:
_testOutOfBoundsNvmReadsto verify that large offsets and lengths are correctly rejected or clamped, ensuring the overflow-safe logic works as intended and preventing future regressions.