Mirrors_Framework/PX4-Autopilot
1
0
Fork 0
mirror of https://github.com/PX4/PX4-Autopilot.git synced 2026-05-09 22:08:56 +08:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

fix(septentrio): bounds-check port name offset in detect_serial_port

Browse Source 
The serial port autodetect computed an offset relative to a ">" prompt
without verifying that there were enough preceding bytes in the read
buffer. When the prompt landed near the start of the buffer the size_t
offset arithmetic underflowed and the subsequent copy read before the
buffer.

Replace the buffer_offset heuristic with a direct check that the prompt
sits at least four bytes into the read buffer before computing the port
name offset, and use signed pointer arithmetic on the address difference
so the underflow is no longer reachable.

Refs: GHSA-v78g-fxg8-gv3j
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
This commit is contained in:
Ramon Roche
2026-04-06 20:19:41 -07:00
parent 44c128aade
commit 07a6d3ed9d
1 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/drivers/gnss/septentrio/septentrio.cpp
+5 -3
View File
@@ -768,9 +768,11 @@ int SeptentrioDriver::detect_serial_port(char* const port_name) {
char* port_name_address = strstr(buf, ">");
// Check if we found a port candidate.
if (buffer_offset > 4 && port_name_address != nullptr) {
size_t port_name_offset = reinterpret_cast<size_t>(port_name_address) - reinterpret_cast<size_t>(buf) - 4;
// Check if we found a port candidate. The prompt must be preceded by at least
// four bytes of port name in the same buffer, otherwise the offset would
// underflow and read before buf.
if (port_name_address != nullptr && (port_name_address - buf) >= 4) {
size_t port_name_offset = static_cast<size_t>(port_name_address - buf) - 4;
for (size_t i = 0; i < 4; i++) {
port_name[i] = buf[port_name_offset + i];
}