Fix an OOBR in lwapp_control_print().

infrastation · infrastation · commit 1f2e3d10d4a8 · 2025-11-26T14:48:14.000Z
Ironically, the code I added to validate LWAPP packets better can do an
out-of-bounds read if a message element type is out of range.  This bug
has been noted internally for some time, now Tommy DeVoss of Braze
Security has discovered it independently.  Get the array size right to
fix this.
diff --git a/print-lwapp.c b/print-lwapp.c
@@ -325,7 +325,13 @@ static const struct tok lwapp_msg_elem_values[] = {
 	{ 0, NULL}
 };
 
-static const uint16_t msg_elem_minlen[] = {
+/*
+ * Message element type is an 8-bit value, so size the array to make any
+ * uint8_t index valid.  Array elements that are implicitly initialized to 0
+ * effectively mean no minimum length requirement for the respective message
+ * element types.
+ */
+static const uint16_t msg_elem_minlen[UINT8_MAX + 1] = {
 	[LWAPP_MSGELEM_AC_ADDRESS]                         =   7,
 	// Omit "Result Code".
 	[LWAPP_MSGELEM_WTP_DESCRIPTOR]                     =  16,
