dark0707
/
px4-firmware
forked from Archive/PX4-Autopilot
1
0
Fork 0
Code Pull Requests Activity

mavlink: check index for out-of-bounds 

If a MAP_RC_PARAM message is sent with an index > 2, this would lead
to undefined behaviour or a segfault/hardfault.
This commit is contained in:
Julian Oes 2020-12-08 08:36:45 +13:00 committed by Beat Küng
parent dd4ee5c48c
commit a1b54eb655
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/modules/mavlink/mavlink_parameters.cpp
View File

@ -44,6 +44,7 @@
#include "mavlink_parameters.h"
#include "mavlink_main.h"
#include <lib/systemlib/mavlink_log.h>
MavlinkParametersManager::MavlinkParametersManager(Mavlink *mavlink) :
_mavlink(mavlink)
@ -245,6 +246,12 @@ MavlinkParametersManager::handle_message(const mavlink_message_t *msg)
/* Copy values from msg to uorb using the parameter_rc_channel_index as index */
size_t i = map_rc.parameter_rc_channel_index;
if (i >= sizeof(_rc_param_map.param_index) / sizeof(_rc_param_map.param_index[0])) {
mavlink_log_warning(_mavlink->get_mavlink_log_pub(), "parameter_rc_channel_index out of bounds");
break;
}
_rc_param_map.param_index[i] = map_rc.param_index;
strncpy(&(_rc_param_map.param_id[i * (rc_parameter_map_s::PARAM_ID_LEN + 1)]), map_rc.param_id,
MAVLINK_MSG_PARAM_VALUE_FIELD_PARAM_ID_LEN);