Add static_assert to verify LOG_FILEPATH_SCANF_WIDTH is synchronized

- Add compile-time check that LOG_FILEPATH_SIZE == 256 - Ensures LOG_FILEPATH_SCANF_WIDTH stays synchronized if buffer size changes - Provides clear error message if someone modifies LOG_FILEPATH_SIZE Co-authored-by: dakejahl <37091262+dakejahl@users.noreply.github.com>
Use LOG_FILEPATH_SCANF_WIDTH macro for format specifier
2026-05-24 03:57:35 +08:00 · 2025-12-15 21:50:04 +00:00 · 2025-12-15 21:49:01 +00:00 · 2025-12-15 21:47:25 +00:00 · 2025-12-15 21:45:09 +00:00 · 2025-12-15 21:43:00 +00:00
2 changed files with 21 additions and 4 deletions
@@ -54,6 +54,17 @@ static const char *kLogDir = PX4_STORAGEDIR "/log";
 #define PX4_MAX_FILEPATH 	PATH_MAX
 #endif

+// Ensure PX4_MAX_FILEPATH is large enough for our buffer sizes
+// LogEntry.filepath uses MavlinkLogHandler::LOG_FILEPATH_SIZE
+static_assert(PX4_MAX_FILEPATH >= MavlinkLogHandler::LOG_FILEPATH_SIZE,
+	      "PX4_MAX_FILEPATH must be at least LOG_FILEPATH_SIZE bytes for log file paths");
+
+// Width specifier for sscanf - must be LOG_FILEPATH_SIZE - 1
+// This is hardcoded as 255 because preprocessor can't evaluate (256-1) in format strings
+// The static_assert below ensures this stays synchronized with LOG_FILEPATH_SIZE
+#define LOG_FILEPATH_SCANF_WIDTH "255"
+static_assert(MavlinkLogHandler::LOG_FILEPATH_SIZE == 256, "Update LOG_FILEPATH_SCANF_WIDTH if LOG_FILEPATH_SIZE changes");
+
 MavlinkLogHandler::MavlinkLogHandler(Mavlink &mavlink)
 	: _mavlink(mavlink)
 {}
@@ -171,10 +182,12 @@ void MavlinkLogHandler::state_listing()
 		// We can send!
 		uint32_t size_bytes = 0;
 		uint32_t time_utc = 0;
-		char filepath[PX4_MAX_FILEPATH];
+		char filepath[MavlinkLogHandler::LOG_FILEPATH_SIZE];

 		// If parsed lined successfully, send the entry
-		if (sscanf(line, "%" PRIu32 " %" PRIu32 " %s", &time_utc, &size_bytes, filepath) != 3) {
+		// Note: Using width specifier to prevent buffer overflow
+		// Width is LOG_FILEPATH_SIZE-1 to leave room for null terminator
+		if (sscanf(line, "%" PRIu32 " %" PRIu32 " %" LOG_FILEPATH_SCANF_WIDTH "s", &time_utc, &size_bytes, filepath) != 3) {
 			PX4_DEBUG("sscanf failed");
 			continue;
 		}
@@ -506,7 +519,9 @@ bool MavlinkLogHandler::log_entry_from_id(uint16_t log_id, LogEntry *entry)
 			continue;
 		}

-		if (sscanf(line, "%" PRIu32 " %" PRIu32 " %s", &(entry->time_utc), &(entry->size_bytes), entry->filepath) != 3) {
+		// Parse log entry with width specifier to prevent buffer overflow
+		// Width is LOG_FILEPATH_SIZE-1 to leave room for null terminator
+		if (sscanf(line, "%" PRIu32 " %" PRIu32 " %" LOG_FILEPATH_SCANF_WIDTH "s", &(entry->time_utc), &(entry->size_bytes), entry->filepath) != 3) {
 			PX4_DEBUG("sscanf failed");
 			continue;
 		}
@@ -48,12 +48,14 @@ public:
 	void handle_message(const mavlink_message_t *msg);

 private:
+	static constexpr size_t LOG_FILEPATH_SIZE = 256;  // Buffer size for log file paths
+
 	struct LogEntry {
 		uint16_t id{0xffff};
 		uint32_t time_utc{};
 		uint32_t size_bytes{};
 		FILE *fp{nullptr};
-		char filepath[60];
+		char filepath[LOG_FILEPATH_SIZE];
 		uint32_t offset{};
 	};
Author	SHA1	Message	Date
copilot-swe-agent[bot]	fe7bf8472b	Add static_assert to verify LOG_FILEPATH_SCANF_WIDTH is synchronized - Add compile-time check that LOG_FILEPATH_SIZE == 256 - Ensures LOG_FILEPATH_SCANF_WIDTH stays synchronized if buffer size changes - Provides clear error message if someone modifies LOG_FILEPATH_SIZE Co-authored-by: dakejahl <37091262+dakejahl@users.noreply.github.com>	2025-12-15 21:50:04 +00:00
copilot-swe-agent[bot]	ca336fb299	Use LOG_FILEPATH_SCANF_WIDTH macro for format specifier - Define LOG_FILEPATH_SCANF_WIDTH macro for the sscanf width specifier - Replace hardcoded '255' with the named macro in both sscanf calls - Improves maintainability and makes the relationship between buffer size and width explicit - Addresses final code review feedback about magic numbers Co-authored-by: dakejahl <37091262+dakejahl@users.noreply.github.com>	2025-12-15 21:49:01 +00:00
copilot-swe-agent[bot]	5cdc783b05	Remove duplicate constant and use header LOG_FILEPATH_SIZE - Remove duplicate LOG_FILEPATH_SIZE macro from cpp file - Use MavlinkLogHandler::LOG_FILEPATH_SIZE consistently throughout - Update local filepath buffer to use the same size as LogEntry.filepath - Addresses code review feedback about duplication and consistency Co-authored-by: dakejahl <37091262+dakejahl@users.noreply.github.com>	2025-12-15 21:47:25 +00:00
copilot-swe-agent[bot]	5037a96376	Define LOG_FILEPATH_SIZE constant for maintainability - Add LOG_FILEPATH_SIZE constant (256) in both header and cpp - Update LogEntry.filepath to use the constant - Improve comments explaining width specifier relationship - Addresses code review feedback about magic numbers Co-authored-by: dakejahl <37091262+dakejahl@users.noreply.github.com>	2025-12-15 21:45:09 +00:00
copilot-swe-agent[bot]	8e0cabaeb7	Add static_assert and use consistent %255s width specifier - Add static_assert to ensure PX4_MAX_FILEPATH >= 256 at compile time - Use %255s consistently for both sscanf calls to prevent overflow - Add explanatory comments for the width specifier choice - Addresses code review feedback about potential overflow on NuttX Co-authored-by: dakejahl <37091262+dakejahl@users.noreply.github.com>	2025-12-15 21:43:00 +00:00
copilot-swe-agent[bot]	338595edd1	Fix stack buffer overflow in mavlink_log_handler sscanf calls - Increase LogEntry.filepath buffer from 60 to 256 bytes - Add width specifiers to sscanf calls (%255s and %1023s) to prevent buffer overflow - Prevents remote DoS vulnerability when parsing logdata.txt with excessively long filenames Co-authored-by: dakejahl <37091262+dakejahl@users.noreply.github.com>	2025-12-15 21:37:29 +00:00
copilot-swe-agent[bot]	f219c9f3b9	Initial plan	2025-12-15 21:33:02 +00:00