From 401621161fe4137b08ad2b4ac79fe3bfeef7f6f2 Mon Sep 17 00:00:00 2001
From: Vivien Nicolas <vnicolas@apple.com>
Date: Mon, 2 May 2022 22:36:22 +0200
Subject: [PATCH] [OTA] Use-after-free in OTAProviderExample::HandleQueryImage
 (#17965)

---
 .../ota-provider-common/OTAProviderExample.cpp      | 13 +++++++------
 .../ota-provider-common/OTAProviderExample.h        |  2 +-
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/examples/ota-provider-app/ota-provider-common/OTAProviderExample.cpp b/examples/ota-provider-app/ota-provider-common/OTAProviderExample.cpp
index 636e4d4cc08303..d3b229cc57a969 100644
--- a/examples/ota-provider-app/ota-provider-common/OTAProviderExample.cpp
+++ b/examples/ota-provider-app/ota-provider-common/OTAProviderExample.cpp
@@ -123,8 +123,9 @@ void OTAProviderExample::SetOTACandidates(std::vector<OTAProviderExample::Device
     // Validate that each candidate matches the info in the image header
     for (auto candidate : mCandidates)
     {
+        OTAImageHeaderParser parser;
         OTAImageHeader header;
-        ParseOTAHeader(candidate.otaURL, header);
+        ParseOTAHeader(parser, candidate.otaURL, header);
 
         ChipLogDetail(SoftwareUpdate, "Validating image list candidate %s: ", candidate.otaURL);
         VerifyOrDie(candidate.vendorId == header.mVendorId);
@@ -141,6 +142,7 @@ void OTAProviderExample::SetOTACandidates(std::vector<OTAProviderExample::Device
         {
             VerifyOrDie(candidate.maxApplicableSoftwareVersion == header.mMaxApplicableVersion.Value());
         }
+        parser.Clear();
     }
 }
 
@@ -190,9 +192,8 @@ UserConsentSubject OTAProviderExample::GetUserConsentSubject(const app::CommandH
     return subject;
 }
 
-bool OTAProviderExample::ParseOTAHeader(const char * otaFilePath, OTAImageHeader & header)
+bool OTAProviderExample::ParseOTAHeader(OTAImageHeaderParser & parser, const char * otaFilePath, OTAImageHeader & header)
 {
-    OTAImageHeaderParser parser;
     uint8_t otaFileContent[kOtaHeaderMaxSize];
     ByteSpan buffer(otaFileContent);
 
@@ -223,8 +224,6 @@ bool OTAProviderExample::ParseOTAHeader(const char * otaFilePath, OTAImageHeader
         return false;
     }
 
-    parser.Clear();
-
     return true;
 }
 
@@ -348,11 +347,13 @@ void OTAProviderExample::HandleQueryImage(app::CommandHandler * commandObj, cons
         else if (strlen(mOTAFilePath) > 0) // If OTA file is directly provided
         {
             // Parse the header and set version info based on the header
+            OTAImageHeaderParser parser;
             OTAImageHeader header;
-            VerifyOrDie(ParseOTAHeader(mOTAFilePath, header) == true);
+            VerifyOrDie(ParseOTAHeader(parser, mOTAFilePath, header) == true);
             VerifyOrDie(sizeof(mSoftwareVersionString) > header.mSoftwareVersionString.size());
             mSoftwareVersion = header.mSoftwareVersion;
             memcpy(mSoftwareVersionString, header.mSoftwareVersionString.data(), header.mSoftwareVersionString.size());
+            parser.Clear();
         }
 
         // If mUserConsentNeeded (set by the CLI) is true and requestor is capable of taking user consent
diff --git a/examples/ota-provider-app/ota-provider-common/OTAProviderExample.h b/examples/ota-provider-app/ota-provider-common/OTAProviderExample.h
index 67f67576545bb7..4ec0e9c575f1e6 100644
--- a/examples/ota-provider-app/ota-provider-common/OTAProviderExample.h
+++ b/examples/ota-provider-app/ota-provider-common/OTAProviderExample.h
@@ -94,7 +94,7 @@ class OTAProviderExample : public chip::app::Clusters::OTAProviderDelegate
                           const chip::app::Clusters::OtaSoftwareUpdateProvider::Commands::QueryImage::DecodableType & commandData,
                           uint32_t targetVersion);
 
-    bool ParseOTAHeader(const char * otaFilePath, chip::OTAImageHeader & header);
+    bool ParseOTAHeader(chip::OTAImageHeaderParser & parser, const char * otaFilePath, chip::OTAImageHeader & header);
 
     /**
      * Called to send the response for a QueryImage command. If an error is encountered, an error status will be sent.