dark0707
/
px4-firmware
forked from Archive/PX4-Autopilot
1
0
Fork 0
Code Pull Requests Activity

fix crsf_rc: prevent potential buffer overflow for unknown packets 

The length check for unknown packets did not include PACKET_SIZE_TYPE_SIZE
and CRC_SIZE, and hence working_index could overflow CRSF_MAX_PACKET_LEN,
triggering invalid memory access further down in QueueBuffer_PeekBuffer.

Also the working_segment_size was wrong for unknown packets.

Credits for finding this go to @Pwn9uin.
This commit is contained in:
Beat Küng 2023-09-28 07:44:11 +02:00
parent 6e65478959
commit e961b29c56
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/drivers/rc/crsf_rc/CrsfParser.cpp
View File

@ -293,9 +293,9 @@ bool CrsfParser_TryParseCrsfPacket(CrsfPacket_t *const new_packet, CrsfParserSta
} else {
// We don't know what this packet is, so we'll let the parser continue
// just so that we can dequeue it in one shot
working_segment_size = packet_size + PACKET_SIZE_TYPE_SIZE;
working_segment_size = packet_size - PACKET_SIZE_TYPE_SIZE;
if (working_segment_size > CRSF_MAX_PACKET_LEN) {
if (working_index + working_segment_size + CRC_SIZE > CRSF_MAX_PACKET_LEN) {
parser_statistics->invalid_unknown_packet_sizes++;
parser_state = PARSER_STATE_HEADER;
working_segment_size = HEADER_SIZE;