Need stronger protection? Integer overflow in xStreamBufferSend() for message buffers — v10.6.2 is configASSERT-only protection

fuzzrt26 · April 11, 2026, 6:12am

Description

In stream_buffer.c, the function xStreamBufferSend() (also invoked via the xMessageBufferSend() macro) adds sbBYTES_TO_STORE_MESSAGE_LENGTH to xRequiredSpace without a runtime overflow check. The only protection is a configASSERT, which is compiled out in release builds.

With the analysis help of AI, it says “this is the same class of integer overflow vulnerability that was fixed in xStreamBufferGenericCreate() (CVE-2021-31572), but the fix was not applied to the send path.”

Affected Version

FreeRTOS Kernel V10.6.2.

Location

stream_buffer.c, inside xStreamBufferSend():

// Line ~677
size_t xRequiredSpace = xDataLengthBytes;

// Line ~692-697
if( ( pxStreamBuffer->ucFlags & sbFLAGS_IS_MESSAGE_BUFFER ) != ( uint8_t ) 0 )
{
    xRequiredSpace += sbBYTES_TO_STORE_MESSAGE_LENGTH;  // <-- can wrap on 32-bit

    /* Overflow? */
    configASSERT( xRequiredSpace > xDataLengthBytes );  // <-- ONLY protection
    ...
}

rtel · April 11, 2026, 4:21pm

Combining threads: Integer overflow in xStreamBufferSendFromISR() for message buffers — no overflow check - V10.6.2 - #2 by rtel

Topic		Replies	Views
Integer overflow in xStreamBufferSendFromISR() for message buffers — no overflow check - V10.6.2 Kernel debug	1	72	April 11, 2026
Bug in Stream Buffer implementation?! Kernel	7	1685	March 3, 2021
Race Condition in xStreamBufferReceive? FreeRTOS V10.2.1 Kernel	4	697	January 8, 2022
StreamBuffer unsuported scenario Kernel	17	1384	July 20, 2020
Stream Buffer vs. Message Buffer Kernel	23	2831	February 24, 2023

Need stronger protection? Integer overflow in xStreamBufferSend() for message buffers — v10.6.2 is configASSERT-only protection

Description

Affected Version

Location

Related topics