json: fix buffer overrun in encoding helper

The bounds check failed to account for the additional space required for the terminating NUL after the encoded value was written. Signed-off-by: Peter Bigot <peter.bigot@nordicsemi.no>
2020-04-21 14:56:52 -05:00 · 2020-04-21 14:56:52 -05:00 · a09f6ad54c
commit a09f6ad54c
parent 315cba1c40
2 changed files with 23 additions and 2 deletions
--- a/lib/os/json.c
+++ b/lib/os/json.c
@ -875,7 +875,7 @@ static int append_bytes_to_buf(const char *bytes, size_t len, void *data)
 {
 	struct appender *appender = data;

-	if (len > appender->size - appender->used) {
+	if (len >= appender->size - appender->used) {
 		return -ENOMEM;
 	}

--- a/tests/lib/json/src/main.c
+++ b/tests/lib/json/src/main.c
@ -519,6 +519,26 @@ static void test_json_escape_bounds_check(void)
 	zassert_equal(ret, -ENOMEM, "Bounds check OK");
 }

+static void test_json_encode_bounds_check(void)
+{
+	struct number {
+		u32_t val;
+	} str = { 0 };
+	const struct json_obj_descr descr[] = {
+		JSON_OBJ_DESCR_PRIM(struct number, val, JSON_TOK_NUMBER),
+	};
+	/* Encodes to {"val":0}\0 for a total of 10 bytes */
+	u8_t buf[10];
+	ssize_t ret = json_obj_encode_buf(descr, ARRAY_SIZE(descr),
+					  &str, buf, 10);
+	zassert_equal(ret, 0, "Bounds check passed");
+	zassert_equal(strlen(buf), 9, "encoded value length");
+
+	ret = json_obj_encode_buf(descr, ARRAY_SIZE(descr),
+				     &str, buf, 9);
+	zassert_equal(ret, -ENOMEM, "Bounds check rejected");
+}
+
 void test_main(void)
 {
 	ztest_test_suite(lib_json_test,
@ -539,7 +559,8 @@ void test_main(void)
 			 ztest_unit_test(test_json_escape_one),
 			 ztest_unit_test(test_json_escape_empty),
 			 ztest_unit_test(test_json_escape_no_op),
-			 ztest_unit_test(test_json_escape_bounds_check)
+			 ztest_unit_test(test_json_escape_bounds_check),
+			 ztest_unit_test(test_json_encode_bounds_check)
 			 );

 	ztest_run_test_suite(lib_json_test);