fly316/PX4-Autopilot
7
0
Fork 0
mirror of https://gitee.com/mirrors_PX4/PX4-Autopilot.git synced 2026-04-14 10:07:39 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(tattu_can): validate CAN frame bounds before buffer copy

Browse Source 
Add bounds checking in the CAN frame assembly loop to prevent a buffer
overflow when copying payloads into the Tattu12SBatteryMessage struct.
A crafted CAN frame with a corrupt payload_size could write past the
48-byte struct boundary. Also guard against payload_size of 0 which
would cause an unsigned integer underflow on the size_t subtraction.

Fixes GHSA-wxwm-xmx9-hr32

Signed-off-by: Ramon Roche <mrpollo@gmail.com>
This commit is contained in:
Ramon Roche 2026-03-12 21:12:55 -07:00
parent bf4fac7e61
commit 3f04b7a95a
1 changed files with 9 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/drivers/tattu_can/TattuCan.cpp
View File

@ -98,9 +98,16 @@ void TattuCan::Run()
while (receive(&received_frame) > 0) {
if (received_frame.payload_size == 0) {
break;
}
size_t payload_size = received_frame.payload_size - 1;
// TODO: add check to prevent buffer overflow from a corrupt 'payload_size' value
// TODO: AND look for TAIL_BYTE_START_OF_TRANSFER to indicate end of transfer. Untested...
if (offset + payload_size > sizeof(tattu_message)) {
break;
}
memcpy(((char *)&tattu_message) + offset, received_frame.payload, payload_size);
offset += payload_size;
}