From 12981b1f077b52e254075d5d49ed64311360cc81 Mon Sep 17 00:00:00 2001
From: Peter Barker <pbarker@barker.dropbear.id.au>
Date: Thu, 7 Mar 2019 13:29:28 +1100
Subject: [PATCH] AP_Arming: correct use of failure messages as format strings

This is important as if the returned string happens to contain
substitutions (%s in particular), we can attempt to pull random data
off the stack and incorporate it in the string.

This sort of bug is rather famous for serious explots in sendmail.

This could be bad if your stack is relatively full and the memory after
it is inaccessible.
---
 libraries/AP_Arming/AP_Arming.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/libraries/AP_Arming/AP_Arming.cpp b/libraries/AP_Arming/AP_Arming.cpp
index 7657467ba7..236d303fd8 100644
--- a/libraries/AP_Arming/AP_Arming.cpp
+++ b/libraries/AP_Arming/AP_Arming.cpp
@@ -329,7 +329,7 @@ bool AP_Arming::ins_checks(bool report)
         // check AHRS attitudes are consistent
         char failure_msg[50] = {};
         if (!AP::ahrs().attitudes_consistent(failure_msg, ARRAY_SIZE(failure_msg))) {
-            check_failed(ARMING_CHECK_INS, report, failure_msg);
+            check_failed(ARMING_CHECK_INS, report, "%s", failure_msg);
             return false;
         }
     }
@@ -463,7 +463,7 @@ bool AP_Arming::battery_checks(bool report)
 
         char buffer[MAVLINK_MSG_STATUSTEXT_FIELD_TEXT_LEN+1] {};
         if (!AP::battery().arming_checks(sizeof(buffer), buffer)) {
-            check_failed(ARMING_CHECK_BATTERY, report, buffer);
+            check_failed(ARMING_CHECK_BATTERY, report, "%s", buffer);
             return false;
         }
      }