commit 9123e5b11f859249f97770572e3e02d23036ab08
author David Navarro <dnav@users.noreply.github.com> Mon Mar 28 16:04:03 2022 +0200
committer GitHub <noreply@github.com> Mon Mar 28 07:04:03 2022 -0700
tree 336aa943ef0b8b6de70dfeb02183290092139a59
parent 7278700c32ec763b56efa1f5995c120c8af0140e

Handle zero-length chunks in indefinite-length strings

Previously this would generate a QCBOR_ERR_STRING_ALLOCATE error.  There is no security issue or attack vector here. QCBOR just errored out on a zero-length string chunk when it should not have.  Zero-length string chunks are explicitly allowed in RFC 8949

Thanks David for the catch and the fix!


* Fix decoding of an indefinite-length string with a zero-length first chunk. (#134)

Signed-off-by: David Navarro <david.navarro@ioterop.com>

* Add an unit test for #134.

Signed-off-by: David Navarro <david.navarro@ioterop.com>

Co-authored-by: David Navarro <david.navarro@ioterop.com>

test/qcbor_decode_tests.c

diff --git a/test/qcbor_decode_tests.c b/test/qcbor_decode_tests.c
index c440fb0..70fc014 100644
--- a/test/qcbor_decode_tests.c
+++ b/test/qcbor_decode_tests.c
@@ -6050,8 +6050,28 @@
    return 0;
 }
 
+int32_t CBORTestIssue134()
+{
+   QCBORDecodeContext DCtx;
+   QCBORItem          Item;
+   QCBORError         uCBORError;
+   const uint8_t      spTestIssue134[] = { 0x5F, 0x40, 0xFF };
 
+   QCBORDecode_Init(&DCtx,
+                    UsefulBuf_FROM_BYTE_ARRAY_LITERAL(spTestIssue134),
+                    QCBOR_DECODE_MODE_NORMAL);
 
+   UsefulBuf_MAKE_STACK_UB(StringBuf, 200);
+   QCBORDecode_SetMemPool(&DCtx, StringBuf, false);
+   
+   do {
+      uCBORError = QCBORDecode_GetNext(&DCtx, &Item);
+   } while (QCBOR_SUCCESS == uCBORError);
+
+   uCBORError = QCBORDecode_Finish(&DCtx);
+
+   return uCBORError;
+}
 
 int32_t CBORSequenceDecodeTests(void)
 {