fly316/PX4-Autopilot
7
0
Fork 0
mirror of https://gitee.com/mirrors_PX4/PX4-Autopilot.git synced 2026-05-23 15:07:34 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix crsf_rc: prevent potential buffer overflow for unknown packets

Browse Source 
The length check for unknown packets did not include PACKET_SIZE_TYPE_SIZE
and CRC_SIZE, and hence working_index could overflow CRSF_MAX_PACKET_LEN,
triggering invalid memory access further down in QueueBuffer_PeekBuffer.

Also the working_segment_size was wrong for unknown packets.

Credits for finding this go to @Pwn9uin.
This commit is contained in:
Beat Küng
2023-09-28 07:44:11 +02:00
parent cad595cb5c
commit d1fcd39a44
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/drivers/rc/crsf_rc/CrsfParser.cpp
+2 -2
View File
@@ -293,9 +293,9 @@ bool CrsfParser_TryParseCrsfPacket(CrsfPacket_t *const new_packet, CrsfParserSta
} else {
// We don't know what this packet is, so we'll let the parser continue
// just so that we can dequeue it in one shot
working_segment_size = packet_size + PACKET_SIZE_TYPE_SIZE;
working_segment_size = packet_size - PACKET_SIZE_TYPE_SIZE;
if (working_segment_size > CRSF_MAX_PACKET_LEN) {
if (working_index + working_segment_size + CRC_SIZE > CRSF_MAX_PACKET_LEN) {
parser_statistics->invalid_unknown_packet_sizes++;
parser_state = PARSER_STATE_HEADER;
working_segment_size = HEADER_SIZE;