Fix off-by-one error in FindLocalNodeFromDestionationId (#17942)

FindLocalNodeFromDestionationId is indexing 1 entry past the initialized IPK epoch keys, with the result that an all-zero key is accepted when one or two epoch-keys are installed. If three epoch keys are installed, this will reference out of bounds. This commit corrects the loop bound in this method to fix the problem. Testing: Manually tested with an initiator using an incorrect, all-zero key. Without the fix, CASE establishment succeeds. With the fix, the responder now correctly rejects the incoming establishment request. Fixes #17940
project-chip · Feb 1, 2024 · 1161696 · 1161696
1 parent 79fbf87
commit 1161696
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/protocols/secure_channel/CASESession.cpp b/src/protocols/secure_channel/CASESession.cpp
@@ -495,7 +495,7 @@ CHIP_ERROR CASESession::FindLocalNodeFromDestionationId(const ByteSpan & destina
         }
 
         // Try every IPK candidate we have for a match
-        for (size_t keyIdx = 0; keyIdx <= ipkKeySet.num_keys_used; ++keyIdx)
+        for (size_t keyIdx = 0; keyIdx < ipkKeySet.num_keys_used; ++keyIdx)
         {
             uint8_t candidateDestinationId[kSHA256_Hash_Length];
             MutableByteSpan candidateDestinationIdSpan(candidateDestinationId);