AP_Scripting: correct use-after-free in script statistics

run_next_script can free the script if the script runs over-time.

... so stop using data from that freed script structure!
This commit is contained in:
Peter Barker 2024-06-23 12:14:53 +10:00 committed by Randy Mackay
parent 8f6d822e7e
commit d6311b4e15

View File

@ -570,8 +570,11 @@ void lua_scripts::run(void) {
if ((_debug_options.get() & uint8_t(DebugLevel::RUNTIME_MSG)) != 0) { if ((_debug_options.get() & uint8_t(DebugLevel::RUNTIME_MSG)) != 0) {
GCS_SEND_TEXT(MAV_SEVERITY_DEBUG, "Lua: Running %s", scripts->name); GCS_SEND_TEXT(MAV_SEVERITY_DEBUG, "Lua: Running %s", scripts->name);
} }
// copy name for logging, cant do it after as script reschedule moves the pointers // take a copy of the script name for the purposes of
const char * script_name = scripts->name; // logging statistics. "scripts" may become invalid
// during the "run_next_script" call, below.
char script_name[128+1] {};
strncpy_noterm(script_name, scripts->name, 128);
#if DISABLE_INTERRUPTS_FOR_SCRIPT_RUN #if DISABLE_INTERRUPTS_FOR_SCRIPT_RUN
void *istate = hal.scheduler->disable_interrupts_save(); void *istate = hal.scheduler->disable_interrupts_save();
@ -580,6 +583,10 @@ void lua_scripts::run(void) {
const int startMem = lua_gc(L, LUA_GCCOUNT, 0) * 1024 + lua_gc(L, LUA_GCCOUNTB, 0); const int startMem = lua_gc(L, LUA_GCCOUNT, 0) * 1024 + lua_gc(L, LUA_GCCOUNTB, 0);
const uint32_t loadEnd = AP_HAL::micros(); const uint32_t loadEnd = AP_HAL::micros();
// NOTE! the base pointer of our scripts linked list,
// *and all its contents* may become invalid as part of
// "run_next_script"! So do *NOT* attempt to access
// anything that was in *scripts after this call.
run_next_script(L); run_next_script(L);
const uint32_t runEnd = AP_HAL::micros(); const uint32_t runEnd = AP_HAL::micros();