From 95d72b447e96e5d910691d8b8b7e51f6c9958a7a Mon Sep 17 00:00:00 2001
From: Aaron Cuevas Lopez <aacuelo@teleco.upv.es>
Date: Wed, 20 Dec 2023 12:44:42 +0100
Subject: [PATCH] Add checks for malformed frames

---
 api/liboni/oni.c     | 10 ++++++++++
 api/liboni/onidefs.h |  3 ++-
 2 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/api/liboni/oni.c b/api/liboni/oni.c
index 3a13479..df96eca 100644
--- a/api/liboni/oni.c
+++ b/api/liboni/oni.c
@@ -667,6 +667,10 @@ int oni_read_frame(const oni_ctx ctx, oni_frame_t **frame)
     assert(iframe->private.f.data_sz > 0 && "Zero-sized frame");
     assert(iframe->private.f.data_sz <= ctx->max_read_frame_size && "Invalid frame size");
 
+    if (iframe->private.f.data_sz == 0
+        || iframe->private.f.data_sz > ctx->max_read_frame_size)
+        return ONI_EBADFRAME; 
+
     // Find read size (+ padding)
     size_t rsize = iframe->private.f.data_sz;
     rsize += rsize % sizeof(oni_fifo_dat_t);
@@ -890,6 +894,10 @@ const char *oni_error_str(int err)
             return "Attempted to directly read or write a protected "
                    "configuration option";
         }
+        case ONI_EBADFRAME: 
+        {
+            return "Received malformed frame";
+        }
         default:
             return "Unknown error";
     }
@@ -1202,6 +1210,8 @@ static int _oni_read_buffer(oni_ctx ctx, void **data, size_t size, int allow_ref
     else
         remaining = 0;
 
+    assert(remaining >= 0 && "buffer inversion");
+
     // TODO: Is there a way to get rid of allow_refill?
     // NB: Frames must reference a single buffer, so we must refill if less
     // than max possible frame size on the first read within oni_read_frame().
diff --git a/api/liboni/onidefs.h b/api/liboni/onidefs.h
index 1b76c17..7b47c78 100644
--- a/api/liboni/onidefs.h
+++ b/api/liboni/onidefs.h
@@ -53,9 +53,10 @@ enum {
     ONI_ENOTWRITEDEV = -25, // Frame allocation attempted for a non-writable device
     ONI_EDEVIDXREPEAT = -26, // Device table contains repeated device indices
     ONI_EPROTCONFIG = -27, // Attempted to directly read or write a protected configuration option
+    ONI_EBADFRAME = -28, // Received malformed frame
 
     // NB: Always at bottom
-    ONI_MINERRORNUM = -28
+    ONI_MINERRORNUM = -29
 };
 
 // Registers available in the specification