Skip to content

Cbmc proof coverage expansion#375

Open
AniruddhaKanhere wants to merge 12 commits into
FreeRTOS:mainfrom
AniruddhaKanhere:cbmc-proof-coverage-expansion
Open

Cbmc proof coverage expansion#375
AniruddhaKanhere wants to merge 12 commits into
FreeRTOS:mainfrom
AniruddhaKanhere:cbmc-proof-coverage-expansion

Conversation

@AniruddhaKanhere

@AniruddhaKanhere AniruddhaKanhere commented Jun 26, 2026

Copy link
Copy Markdown
Member

Description

Test Steps

Checklist:

  • I have tested my changes. No regression in existing tests.
  • I have modified and/or added unit-tests to cover the code changes in this Pull Request.

Related Issue

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

…essIncomingPacketTypeAndLength, DeserializeConnAck
…d CBMC proof

MQTT_GetSubscribePacketSize did not validate pPacketSize before calling
calculateSubscriptionPacketSize(), which writes through it. A caller passing
pPacketSize == NULL would trigger a NULL-pointer write. The sibling
MQTT_GetUnsubscribePacketSize already performs this check. Add the matching
guard and a CBMC memory-safety proof (now VERIFICATION SUCCESSFUL) that covers
the NULL parameter case.
handleIncomingPublish (PUBLISH) and handleIncomingAck (PINGRESP) handed a
partially-initialized MQTTDeserializedInfo_t to the application callback, leaving
pReasonCode indeterminate. Zero-initialize all such locals (matching the existing
'= { 0 }' usage in the disconnect/keep-alive paths) so every field is defined
before crossing the public callback boundary. Also applied to handlePublishAcks
and handleSubUnsubAck for consistency.
…ransmits,StatefulQoS,Connect}, SerializePublishHeaderWithoutTopic, UpdateDuplicatePublishFlag
…te proof

addRecord() indexed records[ recordCount - 1U ] before any zero-count check.
Calling MQTT_ReserveState (a public API) for QoS1/QoS2 on a context where the
publish-record array was never configured (records == NULL, recordCount == 0,
e.g. MQTT_InitStatefulQoS not called) made ( recordCount - 1U ) wrap to SIZE_MAX,
an out-of-bounds read. Guard the compaction check with recordCount > 0U; the
subsequent loop already no-ops for count 0, returning MQTTNoMemory. Add a CBMC
proof for MQTT_ReserveState (now VERIFICATION SUCCESSFUL).
archigup
archigup previously approved these changes Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants