Mirror/inav
1
0
Fork 0
mirror of https://github.com/iNavFlight/inav.git synced 2025-07-26 09:45:33 +03:00
Code Issues Wiki Activity

Merge pull request #2110 from iNavFlight/de_msp_boxnames_overflow_check

Browse source 
Check for buffer overflow in MSP_BOX_NAMES reply
This commit is contained in:
Konstantin Sharlaimov 2017-09-19 14:31:12 +10:00 committed by GitHub
commit 631ceaed09
2 changed files with 22 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

19
src/main/common/streambuf.c
View file

@ -22,10 +22,7 @@
void sbufWriteU8(sbuf_t *dst, uint8_t val) void sbufWriteU8(sbuf_t *dst, uint8_t val)
{ {
// Silently discard if buffer is overflown *dst->ptr++ = val;
if (dst->ptr < dst->end) {
*dst->ptr++ = val;
}
} }
void sbufWriteU16(sbuf_t *dst, uint16_t val) void sbufWriteU16(sbuf_t *dst, uint16_t val)
@ -64,12 +61,6 @@ void sbufFill(sbuf_t *dst, uint8_t data, int len)
void sbufWriteData(sbuf_t *dst, const void *data, int len) void sbufWriteData(sbuf_t *dst, const void *data, int len)
{ {
// Silently discard bytes overflowing the buffer
const int remainingBytes = sbufBytesRemaining(dst);
if (remainingBytes < len) {
len = remainingBytes;
}
memcpy(dst->ptr, data, len); memcpy(dst->ptr, data, len);
dst->ptr += len; dst->ptr += len;
} }
@ -97,13 +88,7 @@ void sbufWriteStringWithZeroTerminator(sbuf_t *dst, const char *string)
uint8_t sbufReadU8(sbuf_t *src) uint8_t sbufReadU8(sbuf_t *src)
{ {
// Return zero if buffer is overrun return *src->ptr++;
if (src->ptr < src->end) {
return *src->ptr++;
}
else {
return 0;
}
} }
uint16_t sbufReadU16(sbuf_t *src) uint16_t sbufReadU16(sbuf_t *src)

24
src/main/fc/fc_msp.c
View file

@ -260,10 +260,22 @@ static const box_t *findBoxByPermenantId(uint8_t permenantId)
return NULL; return NULL;
} }
static void serializeBoxNamesReply(sbuf_t *dst) static bool serializeBoxNamesReply(sbuf_t *dst)
{ {
// in first run of the loop, we grab total size of junk to be sent // First run of the loop - calculate total length of the reply
// then come back and actually send it int replyLengthTotal = 0;
for (int i = 0; i < activeBoxIdCount; i++) {
const box_t *box = findBoxByActiveBoxId(activeBoxIds[i]);
if (box) {
replyLengthTotal += strlen(box->boxName);
}
}
// Check if we have enough space to send a reply
if (sbufBytesRemaining(dst) < replyLengthTotal) {
return false;
}
for (int i = 0; i < activeBoxIdCount; i++) { for (int i = 0; i < activeBoxIdCount; i++) {
const int activeBoxId = activeBoxIds[i]; const int activeBoxId = activeBoxIds[i];
const box_t *box = findBoxByActiveBoxId(activeBoxId); const box_t *box = findBoxByActiveBoxId(activeBoxId);
@ -272,6 +284,8 @@ static void serializeBoxNamesReply(sbuf_t *dst)
sbufWriteData(dst, box->boxName, len); sbufWriteData(dst, box->boxName, len);
} }
} }
return true;
} }
static void initActiveBoxIds(void) static void initActiveBoxIds(void)
@ -787,7 +801,9 @@ static bool mspFcProcessOutCommand(uint16_t cmdMSP, sbuf_t *dst, mspPostProcessF
break; break;
case MSP_BOXNAMES: case MSP_BOXNAMES:
serializeBoxNamesReply(dst); if (!serializeBoxNamesReply(dst)) {
return false;
}
break; break;
case MSP_BOXIDS: case MSP_BOXIDS: