AP_Proximity: prevent buffer overflow in LD06 driver
We're using a value off the wire before it has been validated. That value is used to limit indexing into a buffer, and that buffer isn't big enough to handle all possible "bad" values that index could take on. Note that "read" here returns int16_t....
This commit is contained in:
parent
3982d576eb
commit
cb6907992b
@ -92,21 +92,33 @@ void AP_Proximity_LD06::get_readings()
|
|||||||
// Loops through all bytes that were received
|
// Loops through all bytes that were received
|
||||||
while (nbytes-- > 0) {
|
while (nbytes-- > 0) {
|
||||||
|
|
||||||
// Gets and logs the current byte being read
|
uint8_t c;
|
||||||
const uint8_t c = _uart->read();
|
if (!_uart->read(c)) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
// Stores the byte in an array if the byte is a start byte or we have already read a start byte
|
// Stores the byte in an array if the byte is a start byte or we have already read a start byte
|
||||||
if (c == LD_START_CHAR || _response_data) {
|
if (c == LD_START_CHAR || _byte_count) {
|
||||||
|
|
||||||
// Sets to true if a start byte has been read, default false otherwise
|
|
||||||
_response_data = true;
|
|
||||||
|
|
||||||
// Stores the next byte in an array
|
// Stores the next byte in an array
|
||||||
_response[_byte_count] = c;
|
_response[_byte_count] = c;
|
||||||
|
if (_byte_count < START_DATA_LENGTH) {
|
||||||
|
_byte_count++;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
const uint32_t total_packet_length = _response[START_DATA_LENGTH] + 3;
|
||||||
|
if (total_packet_length > ARRAY_SIZE(_response)) {
|
||||||
|
// invalid packet received; throw away all data and
|
||||||
|
// start again.
|
||||||
|
_byte_count = 0;
|
||||||
|
_uart->discard_input();
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
_byte_count++;
|
_byte_count++;
|
||||||
|
|
||||||
if (_byte_count == _response[START_DATA_LENGTH] + 3) {
|
if (_byte_count == total_packet_length) {
|
||||||
|
|
||||||
const uint32_t current_ms = AP_HAL::millis();
|
const uint32_t current_ms = AP_HAL::millis();
|
||||||
|
|
||||||
// Stores the last distance taken, used to reduce number of readings taken
|
// Stores the last distance taken, used to reduce number of readings taken
|
||||||
@ -121,7 +133,6 @@ void AP_Proximity_LD06::get_readings()
|
|||||||
|
|
||||||
// Resets the bytes read and whether or not we are reading data to accept a new payload
|
// Resets the bytes read and whether or not we are reading data to accept a new payload
|
||||||
_byte_count = 0;
|
_byte_count = 0;
|
||||||
_response_data = false;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -57,7 +57,6 @@ private:
|
|||||||
|
|
||||||
// Store and keep track of the bytes being read from the sensor
|
// Store and keep track of the bytes being read from the sensor
|
||||||
uint8_t _response[MESSAGE_LENGTH_LD06];
|
uint8_t _response[MESSAGE_LENGTH_LD06];
|
||||||
bool _response_data;
|
|
||||||
uint16_t _byte_count;
|
uint16_t _byte_count;
|
||||||
|
|
||||||
// Store for error-tracking purposes
|
// Store for error-tracking purposes
|
||||||
|
Loading…
Reference in New Issue
Block a user