mavlink_log_handler: fix potential buffer overflow

2026-04-14 10:07:39 +08:00 · 2017-04-06 09:10:39 +02:00 · 2017-04-06 09:10:39 +02:00 · c7d9a7a6d1
commit c7d9a7a6d1
parent b0ee1579a9
2 changed files with 14 additions and 7 deletions
--- a/src/modules/mavlink/mavlink_log_handler.cpp
+++ b/src/modules/mavlink/mavlink_log_handler.cpp
@ -237,8 +237,14 @@ MavlinkLogHandler::_log_request_data(const mavlink_message_t *msg)
 		_pLogHandlerHelper->current_log_filename[0] = 0;
 		_pLogHandlerHelper->current_log_index = request.id;
 		uint32_t time_utc = 0;
-		_pLogHandlerHelper->get_entry(_pLogHandlerHelper->current_log_index, _pLogHandlerHelper->current_log_size, time_utc,
-					      _pLogHandlerHelper->current_log_filename);
+
+		if (!_pLogHandlerHelper->get_entry(_pLogHandlerHelper->current_log_index, _pLogHandlerHelper->current_log_size,
+						   time_utc,
+						   _pLogHandlerHelper->current_log_filename, sizeof(_pLogHandlerHelper->current_log_filename))) {
+			PX4LOG_WARN("LogListHelper::get_entry failed.\n");
+			return;
+		}
+
 		_pLogHandlerHelper->open_for_transmit();
 	}

@ -393,7 +399,7 @@ LogListHelper::~LogListHelper()

 //-------------------------------------------------------------------
 bool
-LogListHelper::get_entry(int idx, uint32_t &size, uint32_t &date, char *filename)
+LogListHelper::get_entry(int idx, uint32_t &size, uint32_t &date, char *filename, int filename_len)
 {
 	//-- Find log file in log list file created during init()
 	size = 0;
@ -410,11 +416,12 @@ LogListHelper::get_entry(int idx, uint32_t &size, uint32_t &date, char *filename
 		while (fgets(line, sizeof(line), f)) {
 			//-- Found our "index"
 			if (count++ == idx) {
-				char file[128];
+				char file[160];

 				if (sscanf(line, "%u %u %s", &date, &size, file) == 3) {
-					if (filename) {
-						strcpy(filename, file);
+					if (filename && filename_len > 0) {
+						strncpy(filename, file, filename_len);
+						filename[filename_len - 1] = 0; // ensure null-termination
 					}

 					result = true;
--- a/src/modules/mavlink/mavlink_log_handler.h
+++ b/src/modules/mavlink/mavlink_log_handler.h
@ -58,7 +58,7 @@ public:

 public:

-	bool        get_entry(int idx, uint32_t &size, uint32_t &date, char *filename = 0);
+	bool        get_entry(int idx, uint32_t &size, uint32_t &date, char *filename = 0, int filename_len = 0);
 	bool        open_for_transmit();
 	size_t      get_log_data(uint8_t len, uint8_t *buffer);