Skip to content

Comments

RDK-60607: (cid:559820) Overflowed integer argument rtConnectedClient…#438

Closed
dshett549 wants to merge 4 commits intordkcentral:developfrom
dshett549:topic/RDK_60607_1
Closed

RDK-60607: (cid:559820) Overflowed integer argument rtConnectedClient…#438
dshett549 wants to merge 4 commits intordkcentral:developfrom
dshett549:topic/RDK_60607_1

Conversation

@dshett549
Copy link
Contributor

@dshett549 dshett549 commented Feb 13, 2026

ReasonForChange: (cid:559820) Overflowed integer argument rtConnectedClient_Read
Priority: P1
Signed-off-by: dshett549 [DEEPTHICHANDRASHEKAR_SHETTY@comcast.com]

@dshett549
RDK-60607: (cid:559820) Overflowed integer argument rtConnectedClient…
c8d1ae6 
…_Read

Signed-off-by: dshett549 <DEEPTHICHANDRASHEKAR_SHETTY@comcast.com>
@dshett549 dshett549 requested a review from a team as a code owner February 13, 2026 08:39
Copilot AI review requested due to automatic review settings February 13, 2026 08:39
Copilot AI reviewed Feb 13, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request addresses an integer overflow vulnerability (RDK-60607) in the rtConnectedClient_Read function by changing the data types used for tracking buffer sizes from signed 32-bit integers to unsigned 64-bit integers. This prevents overflow issues when handling large message payloads.

Changes:

  • Modified struct fields in rtConnectedClient from int to uint64_t for bytes_read, bytes_to_read, and read_buffer_capacity
  • Updated local variable types in rtConnectedClient_Read functions to match the new types (size_t for bytes_to_read, uint64_t for incoming_data_size)
  • Added <inttypes.h> include for PRIu64 format specifier
  • Updated log message format specifiers from %d to %" PRIu64 " to correctly print uint64_t values

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 8 comments.

File Description
src/rtmessage/rtrouteBase.h Changed three struct member types from int to uint64_t (bytes_read, bytes_to_read, read_buffer_capacity)
src/rtmessage/rtrouted.c Updated local variable types, added inttypes.h include, and modified format specifiers in log messages
src/rtmessage/rtrouteBase.c Updated local variable types, added inttypes.h include, and modified format specifiers in log messages

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@dshett549
Address Copilot review comments
02dcfa7 
Signed-off-by: dshett549 <DEEPTHICHANDRASHEKAR_SHETTY@comcast.com>
gladish
gladish requested changes Feb 18, 2026
View reviewed changes
Copy link
Contributor

@gladish gladish left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

uint64_t                       bytes_read;
uint64_t                       bytes_to_read;
uint64_t                       read_buffer_capacity;

I think it's better to use size_t for these, which result in fewer casts between size_t and uint64_t.

size_t bytes_read;
size_t bytes_to_read;
size_t read_buffer_capacity;

Copilot AI review requested due to automatic review settings February 18, 2026 16:14
Copilot AI reviewed Feb 18, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@karuna2git
Copy link
Contributor

karuna2git commented Feb 19, 2026
edited
Loading

@gladish
defining to size_t will create confusion to the wired-protocol on the message header becoz different device will have length for size_t (32-bit & 64 bit). But if we defined it to be uint64_t, this will always keep fixed length for rbus message header.

Thats the main reason behind this change.

Copilot AI review requested due to automatic review settings February 19, 2026 09:12
Copilot AI reviewed Feb 19, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

src/rtmessage/rtrouted.c
if (incoming_data_size > SIZE_MAX)
{
rtLog_Info("Requested read buffer size (%" PRIu64 ") exceeds system maximum. Message will be dropped.", incoming_data_size);
_rtConnection_ReadAndDropBytes(clnt->fd, clnt->header.payload_length);
Copy link

Copilot AI Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The function _rtConnection_ReadAndDropBytes expects an 'unsigned int' parameter (as defined in rtConnection.h:270), but clnt->header.payload_length is of type uint32_t. While these types are typically the same size on most platforms, this assumes that unsigned int is at least 32 bits. On platforms where unsigned int is 16 bits, this could cause truncation. Consider either casting with an explicit check, or updating the _rtConnection_ReadAndDropBytes signature to accept uint32_t for better type safety and portability.

Copilot uses AI. Check for mistakes.
src/rtmessage/rtrouteBase.c
if (incoming_data_size > SIZE_MAX)
{
rtLog_Info("Requested read buffer size (%" PRIu64 ") exceeds system maximum. Message will be dropped.", incoming_data_size);
_rtConnection_ReadAndDropBytes(clnt->fd, clnt->header.payload_length);
Copy link

Copilot AI Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The function _rtConnection_ReadAndDropBytes expects an 'unsigned int' parameter (as defined in rtConnection.h:270), but clnt->header.payload_length is of type uint32_t. While these types are typically the same size on most platforms, this assumes that unsigned int is at least 32 bits. On platforms where unsigned int is 16 bits, this could cause truncation. Consider either casting with an explicit check, or updating the _rtConnection_ReadAndDropBytes signature to accept uint32_t for better type safety and portability.

Copilot uses AI. Check for mistakes.
dshett549 and others added 2 commits February 19, 2026 15:05
@dshett549
Update rtrouteBase.c
4eeef24 
Signed-off-by: dshett549 <DEEPTHICHANDRASHEKAR_SHETTY@comcast.com>
@dshett549
Merge branch 'develop' into topic/RDK_60607_1
bc987f3
@dshett549 dshett549 closed this Feb 24, 2026
@github-actions github-actions bot locked and limited conversation to collaborators Feb 24, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

Copilot code review Copilot Copilot left review comments

@gladish gladish gladish requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dshett549 @karuna2git @gladish