Mirror/betaflight
1
0
Fork 0
mirror of https://github.com/betaflight/betaflight.git synced 2025-07-13 19:40:31 +03:00
Code Issues Wiki Activity

rc-modes bugfix - prevent buffer overflow when serializing box names (#13880)

Browse source
This commit is contained in:
Petr Ledvina 2024-09-10 18:15:52 +02:00 committed by GitHub
parent 1382c30601
commit aa92203215
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
5 changed files with 40 additions and 35 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/main/cli/settings.c
View file

@ -1835,10 +1835,10 @@ const clivalue_t valueTable[] = {
// PG_MODE_ACTIVATION_CONFIG // PG_MODE_ACTIVATION_CONFIG
#if defined(USE_CUSTOM_BOX_NAMES) #if defined(USE_CUSTOM_BOX_NAMES)
{ "box_user_1_name", VAR_UINT8 | HARDWARE_VALUE | MODE_STRING, .config.string = { 1, MAX_BOX_USER_NAME_LENGTH, STRING_FLAGS_NONE }, PG_MODE_ACTIVATION_CONFIG, offsetof(modeActivationConfig_t, box_user_1_name) }, { "box_user_1_name", VAR_UINT8 | HARDWARE_VALUE | MODE_STRING, .config.string = { 1, MAX_BOX_USER_NAME_LENGTH, STRING_FLAGS_NONE }, PG_MODE_ACTIVATION_CONFIG, offsetof(modeActivationConfig_t, box_user_names[0]) },
{ "box_user_2_name", VAR_UINT8 | HARDWARE_VALUE | MODE_STRING, .config.string = { 1, MAX_BOX_USER_NAME_LENGTH, STRING_FLAGS_NONE }, PG_MODE_ACTIVATION_CONFIG, offsetof(modeActivationConfig_t, box_user_2_name) }, { "box_user_2_name", VAR_UINT8 | HARDWARE_VALUE | MODE_STRING, .config.string = { 1, MAX_BOX_USER_NAME_LENGTH, STRING_FLAGS_NONE }, PG_MODE_ACTIVATION_CONFIG, offsetof(modeActivationConfig_t, box_user_names[1]) },
{ "box_user_3_name", VAR_UINT8 | HARDWARE_VALUE | MODE_STRING, .config.string = { 1, MAX_BOX_USER_NAME_LENGTH, STRING_FLAGS_NONE }, PG_MODE_ACTIVATION_CONFIG, offsetof(modeActivationConfig_t, box_user_3_name) }, { "box_user_3_name", VAR_UINT8 | HARDWARE_VALUE | MODE_STRING, .config.string = { 1, MAX_BOX_USER_NAME_LENGTH, STRING_FLAGS_NONE }, PG_MODE_ACTIVATION_CONFIG, offsetof(modeActivationConfig_t, box_user_names[2]) },
{ "box_user_4_name", VAR_UINT8 | HARDWARE_VALUE | MODE_STRING, .config.string = { 1, MAX_BOX_USER_NAME_LENGTH, STRING_FLAGS_NONE }, PG_MODE_ACTIVATION_CONFIG, offsetof(modeActivationConfig_t, box_user_4_name) }, { "box_user_4_name", VAR_UINT8 | HARDWARE_VALUE | MODE_STRING, .config.string = { 1, MAX_BOX_USER_NAME_LENGTH, STRING_FLAGS_NONE }, PG_MODE_ACTIVATION_CONFIG, offsetof(modeActivationConfig_t, box_user_names[3]) },
#endif #endif
}; };

9
src/main/fc/rc_modes.c
View file

@ -59,14 +59,7 @@ static uint8_t activeLinkedMacArray[MAX_MODE_ACTIVATION_CONDITION_COUNT];
PG_REGISTER_ARRAY(modeActivationCondition_t, MAX_MODE_ACTIVATION_CONDITION_COUNT, modeActivationConditions, PG_MODE_ACTIVATION_PROFILE, 3); PG_REGISTER_ARRAY(modeActivationCondition_t, MAX_MODE_ACTIVATION_CONDITION_COUNT, modeActivationConditions, PG_MODE_ACTIVATION_PROFILE, 3);
#if defined(USE_CUSTOM_BOX_NAMES) #if defined(USE_CUSTOM_BOX_NAMES)
PG_REGISTER_WITH_RESET_TEMPLATE(modeActivationConfig_t, modeActivationConfig, PG_MODE_ACTIVATION_CONFIG, 0); PG_REGISTER(modeActivationConfig_t, modeActivationConfig, PG_MODE_ACTIVATION_CONFIG, 0);
PG_RESET_TEMPLATE(modeActivationConfig_t, modeActivationConfig,
.box_user_1_name = { 0 },
.box_user_2_name = { 0 },
.box_user_3_name = { 0 },
.box_user_4_name = { 0 },
);
#endif #endif
bool IS_RC_MODE_ACTIVE(boxId_e boxId) bool IS_RC_MODE_ACTIVE(boxId_e boxId)

8
src/main/fc/rc_modes.h
View file

@ -124,12 +124,10 @@ PG_DECLARE_ARRAY(modeActivationCondition_t, MAX_MODE_ACTIVATION_CONDITION_COUNT,
#if defined(USE_CUSTOM_BOX_NAMES) #if defined(USE_CUSTOM_BOX_NAMES)
#define MAX_BOX_USER_NAME_LENGTH 16 #define MAX_BOX_USER_NAME_LENGTH 16
#define BOX_USER_NAME_COUNT 4
STATIC_ASSERT(BOXUSER4 + 1 - BOXUSER1 == BOX_USER_NAME_COUNT, "Invalid BOX_USER_NAME_COUNT");
typedef struct modeActivationConfig_s { typedef struct modeActivationConfig_s {
char box_user_1_name[MAX_BOX_USER_NAME_LENGTH]; char box_user_names[BOX_USER_NAME_COUNT][MAX_BOX_USER_NAME_LENGTH];
char box_user_2_name[MAX_BOX_USER_NAME_LENGTH];
char box_user_3_name[MAX_BOX_USER_NAME_LENGTH];
char box_user_4_name[MAX_BOX_USER_NAME_LENGTH];
} modeActivationConfig_t; } modeActivationConfig_t;
PG_DECLARE(modeActivationConfig_t, modeActivationConfig); PG_DECLARE(modeActivationConfig_t, modeActivationConfig);

44
src/main/msp/msp_box.c
View file

@ -137,28 +137,39 @@ static bool activeBoxIdGet(boxId_e boxId)
return bitArrayGet(&activeBoxIds, boxId); return bitArrayGet(&activeBoxIds, boxId);
} }
void serializeBoxNameFn(sbuf_t *dst, const box_t *box) int serializeBoxNameFn(sbuf_t *dst, const box_t *box)
{ {
const char* name = NULL;
int len;
#if defined(USE_CUSTOM_BOX_NAMES) #if defined(USE_CUSTOM_BOX_NAMES)
if (box->boxId == BOXUSER1 && strlen(modeActivationConfig()->box_user_1_name) > 0) { if (name == NULL
sbufWriteString(dst, modeActivationConfig()->box_user_1_name); && box->boxId >= BOXUSER1 && box->boxId <= BOXUSER4) {
} else if (box->boxId == BOXUSER2 && strlen(modeActivationConfig()->box_user_2_name) > 0) { const int n = box->boxId - BOXUSER1;
sbufWriteString(dst, modeActivationConfig()->box_user_2_name); name = modeActivationConfig()->box_user_names[n];
} else if (box->boxId == BOXUSER3 && strlen(modeActivationConfig()->box_user_3_name) > 0) { // possibly there is no '\0' in boxname
sbufWriteString(dst, modeActivationConfig()->box_user_3_name); len = strnlen(name, sizeof(modeActivationConfig()->box_user_names[0]));
} else if (box->boxId == BOXUSER4 && strlen(modeActivationConfig()->box_user_4_name) > 0) {
sbufWriteString(dst, modeActivationConfig()->box_user_4_name);
} else
#endif
{
sbufWriteString(dst, box->boxName);
} }
#endif
if (name == NULL) {
name = box->boxName;
len = strlen(name);
}
if (sbufBytesRemaining(dst) < len + 1) {
// boxname or separator won't fit
return -1;
}
sbufWriteData(dst, name, len);
sbufWriteU8(dst, ';'); sbufWriteU8(dst, ';');
return len + 1;
} }
void serializeBoxPermanentIdFn(sbuf_t *dst, const box_t *box) int serializeBoxPermanentIdFn(sbuf_t *dst, const box_t *box)
{ {
if (sbufBytesRemaining(dst) < 1) {
return -1;
}
sbufWriteU8(dst, box->permanentId); sbufWriteU8(dst, box->permanentId);
return 1;
} }
// serialize 'page' of boxNames. // serialize 'page' of boxNames.
@ -171,7 +182,10 @@ void serializeBoxReply(sbuf_t *dst, int page, serializeBoxFn *serializeBox)
for (boxId_e id = 0; id < CHECKBOX_ITEM_COUNT; id++) { for (boxId_e id = 0; id < CHECKBOX_ITEM_COUNT; id++) {
if (activeBoxIdGet(id)) { if (activeBoxIdGet(id)) {
if (boxIdx >= pageStart && boxIdx < pageEnd) { if (boxIdx >= pageStart && boxIdx < pageEnd) {
(*serializeBox)(dst, findBoxByBoxId(id)); if ((*serializeBox)(dst, findBoxByBoxId(id)) < 0) {
// failed to serialize, abort
return;
}
} }
boxIdx++; // count active boxes boxIdx++; // count active boxes
} }

6
src/main/msp/msp_box.h
View file

@ -36,9 +36,9 @@ const box_t *findBoxByPermanentId(uint8_t permanentId);
struct boxBitmask_s; struct boxBitmask_s;
int packFlightModeFlags(struct boxBitmask_s *mspFlightModeFlags); int packFlightModeFlags(struct boxBitmask_s *mspFlightModeFlags);
struct sbuf_s; struct sbuf_s;
void serializeBoxNameFn(struct sbuf_s *dst, const box_t *box); int serializeBoxNameFn(struct sbuf_s *dst, const box_t *box);
void serializeBoxPermanentIdFn(struct sbuf_s *dst, const box_t *box); int serializeBoxPermanentIdFn(struct sbuf_s *dst, const box_t *box);
typedef void serializeBoxFn(struct sbuf_s *dst, const box_t *box); typedef int serializeBoxFn(struct sbuf_s *dst, const box_t *box);
void serializeBoxReply(struct sbuf_s *dst, int page, serializeBoxFn *serializeBox); void serializeBoxReply(struct sbuf_s *dst, int page, serializeBoxFn *serializeBox);
void initActiveBoxIds(void); void initActiveBoxIds(void);
bool getBoxIdState(boxId_e boxid); bool getBoxIdState(boxId_e boxid);