Skip to content

Commit 5cc49d5

Browse files
mergify[bot]woody-appleclauderobszewczyk
authored
Reject zero-length TCP messages to prevent connection slot abuse (#71942) (#72383)
* Reject zero-length TCP messages to prevent connection slot abuse Zero-length messages (4-byte header of all zeros) were silently accepted as valid, keeping the connection alive. An attacker could hold all TCP connection slots (default: 4) indefinitely by sending just 4 zero bytes per probe, blocking legitimate CASE sessions. Reject zero-length messages and close the connection, since no valid Matter message has zero payload length. * Address review: remove redundant CloseConnectionInternal, fix test - Remove explicit CloseConnectionInternal call since the caller (OnDataReceived) already handles connection closure on error return - Update test to expect CHIP_ERROR_INVALID_MESSAGE_LENGTH for zero-length messages * Retrigger CI (REPL timeout) * Retrigger CI --------- (cherry picked from commit 0e0a4aa) Co-authored-by: Justin Wood <woody@apple.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Robert Szewczyk <szewczyk@google.com>
1 parent c4fd23c commit 5cc49d5

2 files changed

Lines changed: 6 additions & 4 deletions

File tree

src/transport/raw/TCP.cpp

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -347,8 +347,10 @@ CHIP_ERROR TCPBase::ProcessReceivedBuffer(Inet::TCPEndPoint * endPoint, const Pe
347347

348348
if (messageSize == 0)
349349
{
350-
// No payload but considered a valid message. Return success to keep the connection alive.
351-
return CHIP_NO_ERROR;
350+
// Zero-length messages are not valid Matter messages. Reject to
351+
// prevent attackers from holding TCP connection slots indefinitely.
352+
ChipLogError(Inet, "Received zero-length TCP message, closing connection.");
353+
return CHIP_ERROR_INVALID_MESSAGE_LENGTH;
352354
}
353355

354356
ReturnErrorOnFailure(ProcessSingleMessage(peerAddress, state, messageSize));

src/transport/raw/tests/TestTCP.cpp

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -696,11 +696,11 @@ TEST_F(TestTCP, CheckProcessReceivedBuffer)
696696
TestData testData[2];
697697
gMockTransportMgrDelegate.SetCallback(TestDataCallbackCheck, testData);
698698

699-
// Test a single packet buffer with zero message size.
699+
// Test a single packet buffer with zero message size - should be rejected.
700700
System::PacketBufferHandle buf = System::PacketBufferHandle::NewWithData(messageSize_TEST, 4);
701701
ASSERT_NE(&buf, nullptr);
702702
err = TestAccess::ProcessReceivedBuffer(tcp, lEndPoint, lPeerAddress, std::move(buf));
703-
EXPECT_EQ(err, CHIP_NO_ERROR);
703+
EXPECT_EQ(err, CHIP_ERROR_INVALID_MESSAGE_LENGTH);
704704

705705
// Test a single packet buffer.
706706
gMockTransportMgrDelegate.mReceiveHandlerCallCount = 0;

0 commit comments

Comments
 (0)