mavlink_log_handler: fix potential buffer overflow

This commit is contained in:
Beat Küng 2017-04-06 09:10:39 +02:00 committed by Lorenz Meier
parent b0ee1579a9
commit c7d9a7a6d1
2 changed files with 14 additions and 7 deletions

View File

@ -237,8 +237,14 @@ MavlinkLogHandler::_log_request_data(const mavlink_message_t *msg)
_pLogHandlerHelper->current_log_filename[0] = 0;
_pLogHandlerHelper->current_log_index = request.id;
uint32_t time_utc = 0;
_pLogHandlerHelper->get_entry(_pLogHandlerHelper->current_log_index, _pLogHandlerHelper->current_log_size, time_utc,
_pLogHandlerHelper->current_log_filename);
if (!_pLogHandlerHelper->get_entry(_pLogHandlerHelper->current_log_index, _pLogHandlerHelper->current_log_size,
time_utc,
_pLogHandlerHelper->current_log_filename, sizeof(_pLogHandlerHelper->current_log_filename))) {
PX4LOG_WARN("LogListHelper::get_entry failed.\n");
return;
}
_pLogHandlerHelper->open_for_transmit();
}
@ -393,7 +399,7 @@ LogListHelper::~LogListHelper()
//-------------------------------------------------------------------
bool
LogListHelper::get_entry(int idx, uint32_t &size, uint32_t &date, char *filename)
LogListHelper::get_entry(int idx, uint32_t &size, uint32_t &date, char *filename, int filename_len)
{
//-- Find log file in log list file created during init()
size = 0;
@ -410,11 +416,12 @@ LogListHelper::get_entry(int idx, uint32_t &size, uint32_t &date, char *filename
while (fgets(line, sizeof(line), f)) {
//-- Found our "index"
if (count++ == idx) {
char file[128];
char file[160];
if (sscanf(line, "%u %u %s", &date, &size, file) == 3) {
if (filename) {
strcpy(filename, file);
if (filename && filename_len > 0) {
strncpy(filename, file, filename_len);
filename[filename_len - 1] = 0; // ensure null-termination
}
result = true;

View File

@ -58,7 +58,7 @@ public:
public:
bool get_entry(int idx, uint32_t &size, uint32_t &date, char *filename = 0);
bool get_entry(int idx, uint32_t &size, uint32_t &date, char *filename = 0, int filename_len = 0);
bool open_for_transmit();
size_t get_log_data(uint8_t len, uint8_t *buffer);