From 0142265f678853850923c822ce8637ebd56b2be9 Mon Sep 17 00:00:00 2001
From: Peter Barker <pbarker@barker.dropbear.id.au>
Date: Fri, 19 Oct 2018 09:53:32 +1100
Subject: [PATCH] AP_Mount: make a copy of ID for mavlink_msg_param_set_send

The send function is expecting an array of the full length, so passing i
na null-terminated char* may result in uninitialised data (or
information leak)
---
 libraries/AP_Mount/SoloGimbal_Parameters.cpp | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libraries/AP_Mount/SoloGimbal_Parameters.cpp b/libraries/AP_Mount/SoloGimbal_Parameters.cpp
index 56731eb740..9e0c52d53a 100644
--- a/libraries/AP_Mount/SoloGimbal_Parameters.cpp
+++ b/libraries/AP_Mount/SoloGimbal_Parameters.cpp
@@ -109,7 +109,13 @@ void SoloGimbal_Parameters::set_param(gmb_param_t param, float value) {
 
     _params[param].state = GMB_PARAMSTATE_ATTEMPTING_TO_SET;
     _params[param].value = value;
-    mavlink_msg_param_set_send(_chan, 0, MAV_COMP_ID_GIMBAL, get_param_name(param), _params[param].value, MAV_PARAM_TYPE_REAL32);
+
+    // make a temporary copy of the ID; mavlink_msg_param_set_send
+    // expects an array of the full length
+    char tmp_name[MAVLINK_MSG_PARAM_SET_FIELD_PARAM_ID_LEN+1] {};
+    strncpy(tmp_name, get_param_name(param), sizeof(tmp_name));
+
+    mavlink_msg_param_set_send(_chan, 0, MAV_COMP_ID_GIMBAL, tmp_name, _params[param].value, MAV_PARAM_TYPE_REAL32);
 
     _last_request_ms = AP_HAL::millis();
 }