AP_Proximity: prevent buffer overflow in LD06 driver

We're using a value off the wire before it has been validated.  That value is used to limit indexing into a buffer, and that buffer isn't big enough to handle all possible "bad" values that index could take on.  Note that "read" here returns int16_t....
This commit is contained in:
Peter Barker 2024-05-14 11:43:16 +10:00 committed by Peter Barker
parent 3982d576eb
commit cb6907992b
2 changed files with 21 additions and 11 deletions

View File

@ -92,21 +92,33 @@ void AP_Proximity_LD06::get_readings()
// Loops through all bytes that were received
while (nbytes-- > 0) {
// Gets and logs the current byte being read
const uint8_t c = _uart->read();
uint8_t c;
if (!_uart->read(c)) {
break;
}
// Stores the byte in an array if the byte is a start byte or we have already read a start byte
if (c == LD_START_CHAR || _response_data) {
// Sets to true if a start byte has been read, default false otherwise
_response_data = true;
if (c == LD_START_CHAR || _byte_count) {
// Stores the next byte in an array
_response[_byte_count] = c;
if (_byte_count < START_DATA_LENGTH) {
_byte_count++;
continue;
}
const uint32_t total_packet_length = _response[START_DATA_LENGTH] + 3;
if (total_packet_length > ARRAY_SIZE(_response)) {
// invalid packet received; throw away all data and
// start again.
_byte_count = 0;
_uart->discard_input();
break;
}
_byte_count++;
if (_byte_count == _response[START_DATA_LENGTH] + 3) {
if (_byte_count == total_packet_length) {
const uint32_t current_ms = AP_HAL::millis();
// Stores the last distance taken, used to reduce number of readings taken
@ -121,7 +133,6 @@ void AP_Proximity_LD06::get_readings()
// Resets the bytes read and whether or not we are reading data to accept a new payload
_byte_count = 0;
_response_data = false;
}
}
}

View File

@ -57,7 +57,6 @@ private:
// Store and keep track of the bytes being read from the sensor
uint8_t _response[MESSAGE_LENGTH_LD06];
bool _response_data;
uint16_t _byte_count;
// Store for error-tracking purposes