From 17d4a1fecacd7dc920552db2a446d973de9bbc38 Mon Sep 17 00:00:00 2001 From: Michael Sandstedt Date: Sat, 30 Apr 2022 13:45:25 -0500 Subject: [PATCH] Fix off-by-one error in FindLocalNodeFromDestionationId FindLocalNodeFromDestionationId is indexing 1 entry past the initialized IPK epoch keys, with the result that an all-zero key is accepted when one or two epoch-keys are installed. If three epoch keys are installed, this will reference out of bounds. This commit corrects the loop bound in this method to fix the problem. Testing: Manually tested with an initiator using an incorrect, all-zero key. Without the fix, CASE establishment succeeds. With the fix, the responder now correctly rejects the incoming establishment request. Fixes #17940 --- src/protocols/secure_channel/CASESession.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/protocols/secure_channel/CASESession.cpp b/src/protocols/secure_channel/CASESession.cpp index 22b5e71adb3761..a76875e6b479a2 100644 --- a/src/protocols/secure_channel/CASESession.cpp +++ b/src/protocols/secure_channel/CASESession.cpp @@ -460,7 +460,7 @@ CHIP_ERROR CASESession::FindLocalNodeFromDestionationId(const ByteSpan & destina } // Try every IPK candidate we have for a match - for (size_t keyIdx = 0; keyIdx <= ipkKeySet.num_keys_used; ++keyIdx) + for (size_t keyIdx = 0; keyIdx < ipkKeySet.num_keys_used; ++keyIdx) { uint8_t candidateDestinationId[kSHA256_Hash_Length]; MutableByteSpan candidateDestinationIdSpan(candidateDestinationId);