Fix buffer overflow in enc28j60_lwip_xmit()#3353
Conversation
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository YAML (base), Central YAML (inherited) Review profile: ASSERTIVE Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
📝 WalkthroughWalkthroughThe PR adds a defensive bounds check to the ChangesTransmit Buffer Bounds Check
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes 🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@dotnet-policy-service agree |
|
@orbisai0security thank you for reporting this and providing a fix. Can you please isolate the change in enc28j60_lwip.cpp (I suppose that's the key fix) and rebase the PR? That should be it. |
11d7a92 to
dd4bd1c
Compare
@josesimoes I've isolated the changes and also rebased the PR. Pls review. |
josesimoes
left a comment
There was a problem hiding this comment.
Perfect! Thank you very much for finding this and providing a fix.
|
@coderabbitai review |
|
/azp run |
✅ Actions performedReview triggered.
|
|
Azure Pipelines successfully started running 2 pipeline(s). |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/DeviceInterfaces/Network/Enc28j60/enc28j60_lwip.cpp`:
- Around line 609-613: The early return that returns ERR_BUF after
pbuf_free(pTmp) skips the GLOBAL_UNLOCK() and can deadlock; before returning
ERR_BUF (and likewise before other early returns that return ERR_ARG/ERR_MEM in
the same function), call GLOBAL_UNLOCK() to release the global lock, then free
the pbuf and return the error code—update the branch using pTmp/pPBuf (the same
pattern as the existing fixes for the ERR_ARG and ERR_MEM returns) so every
early exit invokes GLOBAL_UNLOCK() prior to returning.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository YAML (base), Central YAML (inherited)
Review profile: ASSERTIVE
Plan: Pro
Run ID: 8cac009a-6e58-40f3-b369-f9fac7ae3eeb
📒 Files selected for processing (1)
src/DeviceInterfaces/Network/Enc28j60/enc28j60_lwip.cpp
Add bounds check before memcpy in the pbuf traversal loop to prevent writing beyond the allocated buffer. Returns ERR_BUF and frees the temporary pbuf if the total payload exceeds the expected packet length.
2cb0d82 to
53e4421
Compare
|
/azp run |
|
Azure Pipelines successfully started running 2 pipeline(s). |
|
@orbisai0security thank you again for your contribution! 🙏😄 .NET nanoFramework is all about community involvement, and no contribution is too small. Please edit it and add an entry with your GitHub username in the appropriate location (names are sorted alphabetically): (Feel free to adjust your name if it's not correct) |
|
I analyzed your request and ran the commands, but no file changes were produced. This can happen when:
Could you provide more specific instructions about which files and lines to change? |
Description
enc28j60_lwip_xmit()to prevent buffer overflow when traversing the pbuf chain.ERR_BUFand frees the temporary pbuf.Motivation and Context
memcpyin the pbuf traversal loop could write beyond the allocated buffer if individual pbuf segment lengths sum to more than the expected packet length, causing a heap buffer overflow.How Has This Been Tested?
idx + pPBuf->lenagainst the allocated buffer size (length + 2).tot_len.Types of changes
Checklist