Integer overflow in xStreamBufferSendFromISR() for message buffers — no overflow check - V10.6.2

Kernel
1

Description

In stream_buffer.c, the function xStreamBufferSendFromISR() (also invoked via xMessageBufferSendFromISR()) adds sbBYTES_TO_STORE_MESSAGE_LENGTH to xRequiredSpace with no overflow check , also no configASSERT.

This is a variant of the same issue in xStreamBufferSend(), where a configASSERT is present. Both are the same class of vulnerability as CVE-2021-31572.

Affected Version

FreeRTOS Kernel V10.6.2. The missing configASSERT was added in V11.2.0, but lack of the underlying runtime check.

Location

stream_buffer.c, inside xStreamBufferSendFromISR():

// Line ~808
size_t xRequiredSpace = xDataLengthBytes;

// Line ~817-820
if( ( pxStreamBuffer->ucFlags & sbFLAGS_IS_MESSAGE_BUFFER ) != ( uint8_t ) 0 )
{
    xRequiredSpace += sbBYTES_TO_STORE_MESSAGE_LENGTH;  // <-- can wrap, NO check
}
// Directly proceeds to:
xSpace = xStreamBufferSpacesAvailable( pxStreamBuffer );
xReturn = prvWriteMessageToBuffer( pxStreamBuffer, pvTxData, xDataLengthBytes, xSpace, xRequiredSpace );
2

Thanks for taking the time to report. As you note, current kernel versions use an assert to catch this occurrence during development and test.

I would like to draw your attention to standard responsible disclosure procedures - as documented in Github, the download, and FreeRTOS website. Reporting potential issues through those recommended channels will result in potential issues being tracked through to closure using our structured internal mechanisms.

image
image1697×554 41.3 KB