Add checks for malformed frames

api/liboni/oni.c

@@ -667,6 +667,10 @@ int oni_read_frame(const oni_ctx ctx, oni_frame_t **frame)
     assert(iframe->private.f.data_sz > 0 && "Zero-sized frame");
     assert(iframe->private.f.data_sz <= ctx->max_read_frame_size && "Invalid frame size");
 
+    if (iframe->private.f.data_sz == 0
+        || iframe->private.f.data_sz > ctx->max_read_frame_size)
+        return ONI_EBADFRAME; 
+
     // Find read size (+ padding)
     size_t rsize = iframe->private.f.data_sz;
     rsize += rsize % sizeof(oni_fifo_dat_t);
@@ -890,6 +894,10 @@ const char *oni_error_str(int err)
             return "Attempted to directly read or write a protected "
                    "configuration option";
         }
+        case ONI_EBADFRAME: 
+        {
+            return "Received malformed frame";
+        }
         default:
             return "Unknown error";
     }
@@ -1202,6 +1210,8 @@ static int _oni_read_buffer(oni_ctx ctx, void **data, size_t size, int allow_ref
     else
         remaining = 0;
 
+    assert(remaining >= 0 && "buffer inversion");
+
     // TODO: Is there a way to get rid of allow_refill?
     // NB: Frames must reference a single buffer, so we must refill if less
     // than max possible frame size on the first read within oni_read_frame().

api/liboni/onidefs.h

@@ -53,9 +53,10 @@ enum {
     ONI_ENOTWRITEDEV = -25, // Frame allocation attempted for a non-writable device
     ONI_EDEVIDXREPEAT = -26, // Device table contains repeated device indices
     ONI_EPROTCONFIG = -27, // Attempted to directly read or write a protected configuration option
+    ONI_EBADFRAME = -28, // Received malformed frame
 
     // NB: Always at bottom
-    ONI_MINERRORNUM = -28
+    ONI_MINERRORNUM = -29
 };
 
 // Registers available in the specification