From 9f757607cb48c105284403f416cae6da1c1c0b73 Mon Sep 17 00:00:00 2001
From: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
Date: Mon, 20 May 2024 22:36:35 +0530
Subject: [PATCH 1/3] [nrf toup] packet: Add Malloc checks

Check for allocation failure and log an error. The error aren't
propagated as it needs more changes, but at least we can identify that
allocation has failed.

Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
---
 indigo_api.c    | 32 ++++++++++++++++++++++++++++++++
 indigo_packet.c | 12 ++++++++++++
 2 files changed, 44 insertions(+)

diff --git a/indigo_api.c b/indigo_api.c
index d445217..425d53f 100644
--- a/indigo_api.c
+++ b/indigo_api.c
@@ -322,15 +322,31 @@ void fill_wrapper_ack(struct packet_wrapper *wrapper, int seq, int status, char
 
     wrapper->tlv_num =  2;
     wrapper->tlv[0] = malloc(sizeof(struct tlv_hdr));
+    if (!wrapper->tlv[0]) {
+        indigo_logger(LOG_LEVEL_ERROR, "%d: Failed to allocate memory for TLV (size: %zu)", __LINE__, sizeof(struct tlv_hdr));
+        return;
+    }
     wrapper->tlv[0]->id = TLV_STATUS;
     wrapper->tlv[0]->len = 1;
     wrapper->tlv[0]->value = (char*)malloc(wrapper->tlv[0]->len);
+    if (!wrapper->tlv[0]->value) {
+        indigo_logger(LOG_LEVEL_ERROR, "%d: Failed to allocate memory for TLV value (size: %d)", __LINE__, wrapper->tlv[0]->len);
+        return;
+    }
     wrapper->tlv[0]->value[0] = status;
 
     wrapper->tlv[1] = malloc(sizeof(struct tlv_hdr));
+    if (!wrapper->tlv[1]) {
+        indigo_logger(LOG_LEVEL_ERROR, "%d: Failed to allocate memory for TLV (size: %zu)", __LINE__, sizeof(struct tlv_hdr));
+        return;
+    }
     wrapper->tlv[1]->id = TLV_MESSAGE;
     wrapper->tlv[1]->len = strlen(reason);
     wrapper->tlv[1]->value = (char*)malloc(wrapper->tlv[1]->len);
+    if (!wrapper->tlv[1]->value) {
+        indigo_logger(LOG_LEVEL_ERROR, "%d: Failed to allocate memory for TLV value (size: %d)", __LINE__, wrapper->tlv[1]->len);
+        return;
+    }
     memcpy(wrapper->tlv[1]->value, reason, wrapper->tlv[1]->len);
 }
 
@@ -359,9 +375,17 @@ void fill_wrapper_message_hdr(struct packet_wrapper *wrapper, int msg_type, int
 /* Fill the TLV structure to the wrapper (for one byte value) */
 void fill_wrapper_tlv_byte(struct packet_wrapper *wrapper, int id, char value) {
     wrapper->tlv[wrapper->tlv_num] = malloc(sizeof(struct tlv_hdr));
+    if (!wrapper->tlv[wrapper->tlv_num]) {
+        indigo_logger(LOG_LEVEL_ERROR, "%d: Failed to allocate memory for TLV (size: %zu)", __LINE__, sizeof(struct tlv_hdr));
+        return;
+    }
     wrapper->tlv[wrapper->tlv_num]->id = id;
     wrapper->tlv[wrapper->tlv_num]->len = 1;
     wrapper->tlv[wrapper->tlv_num]->value = (char*)malloc(1);
+    if (!wrapper->tlv[wrapper->tlv_num]->value) {
+        indigo_logger(LOG_LEVEL_ERROR, "%d: Failed to allocate memory for TLV value (size: %d)", __LINE__, 1);
+        return;
+    }
     wrapper->tlv[wrapper->tlv_num]->value[0] = value;
     wrapper->tlv_num++;
 }
@@ -369,9 +393,17 @@ void fill_wrapper_tlv_byte(struct packet_wrapper *wrapper, int id, char value) {
 /* Fill the TLV structure to the wrapper (for multiple bytes value) */
 void fill_wrapper_tlv_bytes(struct packet_wrapper *wrapper, int id, int len, char* value) {
     wrapper->tlv[wrapper->tlv_num] = malloc(sizeof(struct tlv_hdr));
+    if (!wrapper->tlv[wrapper->tlv_num]) {
+        indigo_logger(LOG_LEVEL_ERROR, "%d: Failed to allocate memory for TLV", __LINE__);
+        return;
+    }
     wrapper->tlv[wrapper->tlv_num]->id = id;
     wrapper->tlv[wrapper->tlv_num]->len = len;
     wrapper->tlv[wrapper->tlv_num]->value = (char*)malloc(len);
+    if (!wrapper->tlv[wrapper->tlv_num]->value) {
+        indigo_logger(LOG_LEVEL_ERROR, "%d: Failed to allocate memory for TLV value", __LINE__);
+        return;
+    }
     memcpy(wrapper->tlv[wrapper->tlv_num]->value, value, len);
     wrapper->tlv_num++;
 }
diff --git a/indigo_packet.c b/indigo_packet.c
index 5601287..9b48750 100644
--- a/indigo_packet.c
+++ b/indigo_packet.c
@@ -50,6 +50,10 @@ int parse_packet(struct packet_wrapper *req, char *packet, size_t packet_len) {
     /* Parse the TLVs */
     while (packet_len - parser > 0) {
         req->tlv[req->tlv_num] = (struct tlv_hdr *)malloc(sizeof(struct tlv_hdr));
+        if (!req->tlv[req->tlv_num]) {
+            indigo_logger(LOG_LEVEL_ERROR, "%d: Failed to allocate memory for TLV; %d" , __LINE__, req->tlv_num);
+            return -1;
+        }
         memset(req->tlv[req->tlv_num], 0, sizeof(struct tlv_hdr));
 
         ret = parse_tlv(req->tlv[req->tlv_num], packet + parser, packet_len - parser);
@@ -212,6 +216,10 @@ int add_tlv(struct tlv_hdr *tlv, int id, size_t len, char *value) {
     tlv->id = id;
     tlv->len = len;
     tlv->value = (char*)malloc(sizeof(char)*len);
+    if (!tlv->value) {
+        indigo_logger(LOG_LEVEL_ERROR, "Failed to allocate memory for TLV value: %d", tlv->len);
+        return 1;
+    }
     memcpy(tlv->value, value, len);
     return 0;
 }
@@ -225,6 +233,10 @@ int parse_tlv(struct tlv_hdr *tlv, char *packet, size_t packet_len) {
     tlv->id = ((packet[0] & 0x00ff) << 8) | (packet[1] & 0x00ff);
     tlv->len = packet[2];
     tlv->value = (char*)malloc(sizeof(char) * tlv->len);
+    if (!tlv->value) {
+        indigo_logger(LOG_LEVEL_ERROR, "Failed to allocate memory for TLV value: %d", tlv->len);
+        return -1;
+    }
     memcpy(tlv->value, &packet[3], tlv->len);
     tlv->value[tlv->len] = '\0';
 

From 28cb9076b0a216f460d98aeaeb84c703c8e5da6a Mon Sep 17 00:00:00 2001
From: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
Date: Tue, 28 May 2024 23:28:31 +0530
Subject: [PATCH 2/3] [nrf toup] packet: Fix heap corruption

While parsing the packet all TLV's are NULl terminated explicitly, so,
take in to account the NULL terminating byte while memory allocation.

Else, this overrides other memory causing hard to debug heap
corruptions.

Fixes SHEL-2754.

Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
---
 indigo_packet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/indigo_packet.c b/indigo_packet.c
index 9b48750..eed0b77 100644
--- a/indigo_packet.c
+++ b/indigo_packet.c
@@ -232,7 +232,7 @@ int parse_tlv(struct tlv_hdr *tlv, char *packet, size_t packet_len) {
 
     tlv->id = ((packet[0] & 0x00ff) << 8) | (packet[1] & 0x00ff);
     tlv->len = packet[2];
-    tlv->value = (char*)malloc(sizeof(char) * tlv->len);
+    tlv->value = (char*)malloc((sizeof(char) * tlv->len) + 1);
     if (!tlv->value) {
         indigo_logger(LOG_LEVEL_ERROR, "Failed to allocate memory for TLV value: %d", tlv->len);
         return -1;

From 3ba80836cd3d92e9c02c2d7852ca8a1ff53733ec Mon Sep 17 00:00:00 2001
From: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
Date: Wed, 29 May 2024 20:17:46 +0530
Subject: [PATCH 3/3] [nrf noup] zephyr: Fix POSIX failures

When using POSIX_API we need to define dummy prototype for compilation
to succeed.

Signed-off-by: Chaitanya Tata <Chaitanya.Tata@nordicsemi.no>
---
 eloop.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/eloop.c b/eloop.c
index efd5b29..273d95b 100644
--- a/eloop.c
+++ b/eloop.c
@@ -22,6 +22,9 @@
 #include <signal.h>
 #ifdef CONFIG_ZEPHYR
 #include <zephyr/posix/sys/select.h>
+#include <zephyr/posix/signal.h>
+#define signal(a, b) (void)(b)
+#define alarm(a) (void)(a)
 #else
 #include "sys/select.h"
 #endif