Merge pull request #2110 from iNavFlight/de_msp_boxnames_overflow_check

Check for buffer overflow in MSP_BOX_NAMES reply
2025-07-26 09:45:33 +03:00 · 2017-09-19 14:31:12 +10:00 · 2017-09-19 14:31:12 +10:00 · 631ceaed09
commit 631ceaed09
parent daaf08300d 1a5c9c9612
2 changed files with 22 additions and 21 deletions
--- a/src/main/common/streambuf.c
+++ b/src/main/common/streambuf.c
@ -22,10 +22,7 @@

 void sbufWriteU8(sbuf_t *dst, uint8_t val)
 {
-    // Silently discard if buffer is overflown
-    if (dst->ptr < dst->end) {
    *dst->ptr++ = val;
-    }
 }

 void sbufWriteU16(sbuf_t *dst, uint16_t val)
@ -64,12 +61,6 @@ void sbufFill(sbuf_t *dst, uint8_t data, int len)

 void sbufWriteData(sbuf_t *dst, const void *data, int len)
 {
-    // Silently discard bytes overflowing the buffer
-    const int remainingBytes = sbufBytesRemaining(dst);
-    if (remainingBytes < len) {
-        len = remainingBytes;
-    }
-
    memcpy(dst->ptr, data, len);
    dst->ptr += len;
 }
@ -97,13 +88,7 @@ void sbufWriteStringWithZeroTerminator(sbuf_t *dst, const char *string)

 uint8_t sbufReadU8(sbuf_t *src)
 {
-    // Return zero if buffer is overrun
-    if (src->ptr < src->end) {
    return *src->ptr++;
-    }
-    else {
-        return 0;
-    }
 }

 uint16_t sbufReadU16(sbuf_t *src)
--- a/src/main/fc/fc_msp.c
+++ b/src/main/fc/fc_msp.c
@ -260,10 +260,22 @@ static const box_t *findBoxByPermenantId(uint8_t permenantId)
    return NULL;
 }

-static void serializeBoxNamesReply(sbuf_t *dst)
+static bool serializeBoxNamesReply(sbuf_t *dst)
 {
-    // in first run of the loop, we grab total size of junk to be sent
-    // then come back and actually send it
+    // First run of the loop - calculate total length of the reply
+    int replyLengthTotal = 0;
+    for (int i = 0; i < activeBoxIdCount; i++) {
+        const box_t *box = findBoxByActiveBoxId(activeBoxIds[i]);
+        if (box) {
+            replyLengthTotal += strlen(box->boxName);
+        }
+    }
+
+    // Check if we have enough space to send a reply
+    if (sbufBytesRemaining(dst) < replyLengthTotal) {
+        return false;
+    }
+
    for (int i = 0; i < activeBoxIdCount; i++) {
        const int activeBoxId = activeBoxIds[i];
        const box_t *box = findBoxByActiveBoxId(activeBoxId);
@ -272,6 +284,8 @@ static void serializeBoxNamesReply(sbuf_t *dst)
            sbufWriteData(dst, box->boxName, len);
        }
    }
+
+    return true;
 }

 static void initActiveBoxIds(void)
@ -787,7 +801,9 @@ static bool mspFcProcessOutCommand(uint16_t cmdMSP, sbuf_t *dst, mspPostProcessF
        break;

    case MSP_BOXNAMES:
-        serializeBoxNamesReply(dst);
+        if (!serializeBoxNamesReply(dst)) {
+            return false;
+        }
        break;

    case MSP_BOXIDS: