From 11616962a34f20e9939cc80b19761c70aedf301d Mon Sep 17 00:00:00 2001 From: Michael Sandstedt Date: Mon, 2 May 2022 08:43:10 -0500 Subject: [PATCH] Fix off-by-one error in FindLocalNodeFromDestionationId (#17942) FindLocalNodeFromDestionationId is indexing 1 entry past the initialized IPK epoch keys, with the result that an all-zero key is accepted when one or two epoch-keys are installed. If three epoch keys are installed, this will reference out of bounds. This commit corrects the loop bound in this method to fix the problem. Testing: Manually tested with an initiator using an incorrect, all-zero key. Without the fix, CASE establishment succeeds. With the fix, the responder now correctly rejects the incoming establishment request. Fixes #17940 --- src/protocols/secure_channel/CASESession.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/protocols/secure_channel/CASESession.cpp b/src/protocols/secure_channel/CASESession.cpp index acc609a31dc82e..77653953a3c947 100644 --- a/src/protocols/secure_channel/CASESession.cpp +++ b/src/protocols/secure_channel/CASESession.cpp @@ -495,7 +495,7 @@ CHIP_ERROR CASESession::FindLocalNodeFromDestionationId(const ByteSpan & destina } // Try every IPK candidate we have for a match - for (size_t keyIdx = 0; keyIdx <= ipkKeySet.num_keys_used; ++keyIdx) + for (size_t keyIdx = 0; keyIdx < ipkKeySet.num_keys_used; ++keyIdx) { uint8_t candidateDestinationId[kSHA256_Hash_Length]; MutableByteSpan candidateDestinationIdSpan(candidateDestinationId);