From 540dcc554f75d2db32ec915b5eddd91e6e62a755 Mon Sep 17 00:00:00 2001
From: Andrew Tridgell <andrew@tridgell.net>
Date: Fri, 3 Jun 2022 14:32:58 +1000
Subject: [PATCH] AP_UAVCAN: added a check for memory corruption in the pool

---
 libraries/AP_UAVCAN/AP_UAVCAN_pool.cpp | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/libraries/AP_UAVCAN/AP_UAVCAN_pool.cpp b/libraries/AP_UAVCAN/AP_UAVCAN_pool.cpp
index 3fda97c1f2..2f68ab955c 100644
--- a/libraries/AP_UAVCAN/AP_UAVCAN_pool.cpp
+++ b/libraries/AP_UAVCAN/AP_UAVCAN_pool.cpp
@@ -51,6 +51,11 @@ void* AP_PoolAllocator::allocate(std::size_t size)
         return nullptr;
     }
     Node *ret = free_list;
+    const uint32_t blk = ret - pool_nodes;
+    if (blk >= num_blocks) {
+        INTERNAL_ERROR(AP_InternalError::error_t::mem_guard);
+        return nullptr;
+    }
     free_list = free_list->next;
 
     used++;
@@ -69,6 +74,11 @@ void AP_PoolAllocator::deallocate(const void* ptr)
     WITH_SEMAPHORE(sem);
 
     Node *p = reinterpret_cast<Node*>(const_cast<void*>(ptr));
+    const uint32_t blk = p - pool_nodes;
+    if (blk >= num_blocks) {
+        INTERNAL_ERROR(AP_InternalError::error_t::mem_guard);
+        return;
+    }
     p->next = free_list;
     free_list = p;