From 338595edd1d235efd885fd5e9f45e7f9dcf4013d Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 15 Dec 2025 21:37:29 +0000
Subject: [PATCH] Fix stack buffer overflow in mavlink_log_handler sscanf calls

- Increase LogEntry.filepath buffer from 60 to 256 bytes
- Add width specifiers to sscanf calls (%255s and %1023s) to prevent buffer overflow
- Prevents remote DoS vulnerability when parsing logdata.txt with excessively long filenames

Co-authored-by: dakejahl <37091262+dakejahl@users.noreply.github.com>
---
 src/modules/mavlink/mavlink_log_handler.cpp | 4 ++--
 src/modules/mavlink/mavlink_log_handler.h   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/modules/mavlink/mavlink_log_handler.cpp b/src/modules/mavlink/mavlink_log_handler.cpp
index 1afa32382b..e663dda8f0 100644
--- a/src/modules/mavlink/mavlink_log_handler.cpp
+++ b/src/modules/mavlink/mavlink_log_handler.cpp
@@ -174,7 +174,7 @@ void MavlinkLogHandler::state_listing()
 		char filepath[PX4_MAX_FILEPATH];
 
 		// If parsed lined successfully, send the entry
-		if (sscanf(line, "%" PRIu32 " %" PRIu32 " %s", &time_utc, &size_bytes, filepath) != 3) {
+		if (sscanf(line, "%" PRIu32 " %" PRIu32 " %1023s", &time_utc, &size_bytes, filepath) != 3) {
 			PX4_DEBUG("sscanf failed");
 			continue;
 		}
@@ -506,7 +506,7 @@ bool MavlinkLogHandler::log_entry_from_id(uint16_t log_id, LogEntry *entry)
 			continue;
 		}
 
-		if (sscanf(line, "%" PRIu32 " %" PRIu32 " %s", &(entry->time_utc), &(entry->size_bytes), entry->filepath) != 3) {
+		if (sscanf(line, "%" PRIu32 " %" PRIu32 " %255s", &(entry->time_utc), &(entry->size_bytes), entry->filepath) != 3) {
 			PX4_DEBUG("sscanf failed");
 			continue;
 		}
diff --git a/src/modules/mavlink/mavlink_log_handler.h b/src/modules/mavlink/mavlink_log_handler.h
index eb521a61ee..0af53cd2c4 100644
--- a/src/modules/mavlink/mavlink_log_handler.h
+++ b/src/modules/mavlink/mavlink_log_handler.h
@@ -53,7 +53,7 @@ private:
 		uint32_t time_utc{};
 		uint32_t size_bytes{};
 		FILE *fp{nullptr};
-		char filepath[60];
+		char filepath[256];
 		uint32_t offset{};
 	};