fly316/PX4-Autopilot
7
0
Fork 0
mirror of https://gitee.com/mirrors_PX4/PX4-Autopilot.git synced 2026-04-14 10:07:39 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(zenoh): validate payload size before stack allocation

Browse Source 
Reject Zenoh payloads that exceed the expected uORB topic size plus
CDR header (4 bytes), or that are too small to contain a valid CDR
header. This prevents a stack overflow from crafted network input
where z_bytes_len(payload) controls a VLA allocation.

Fixes GHSA-69g4-hcqf-j45p

Signed-off-by: Ramon Roche <mrpollo@gmail.com>
This commit is contained in:
Ramon Roche 2026-03-12 21:31:35 -07:00
parent b5b48536a3
commit 69a6b9eee6
1 changed files with 8 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/modules/zenoh/subscribers/uorb_subscriber.hpp
View File

@ -79,6 +79,14 @@ public:
const z_loaned_bytes_t *payload = z_sample_payload(sample);
size_t len = z_bytes_len(payload);
// Validate payload size to prevent stack overflow from untrusted input.
// CDR payload = 4-byte header + serialized data, which should not exceed o_size + 4.
const size_t max_payload_size = _uorb_meta->o_size + 4;
if (len > max_payload_size || len < 4) {
return;
}
#if defined(Z_FEATURE_UNSTABLE_API)
// Check if payload is contiguous so we can decode directly on that pointer
z_view_slice_t view;