From 07a6d3ed9da5d021b3043a6f62389b6868ddb82b Mon Sep 17 00:00:00 2001 From: Ramon Roche Date: Mon, 6 Apr 2026 20:19:41 -0700 Subject: [PATCH] fix(septentrio): bounds-check port name offset in detect_serial_port The serial port autodetect computed an offset relative to a ">" prompt without verifying that there were enough preceding bytes in the read buffer. When the prompt landed near the start of the buffer the size_t offset arithmetic underflowed and the subsequent copy read before the buffer. Replace the buffer_offset heuristic with a direct check that the prompt sits at least four bytes into the read buffer before computing the port name offset, and use signed pointer arithmetic on the address difference so the underflow is no longer reachable. Refs: GHSA-v78g-fxg8-gv3j Signed-off-by: Ramon Roche --- src/drivers/gnss/septentrio/septentrio.cpp | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/drivers/gnss/septentrio/septentrio.cpp b/src/drivers/gnss/septentrio/septentrio.cpp index bffc940e29..df3e7f3974 100644 --- a/src/drivers/gnss/septentrio/septentrio.cpp +++ b/src/drivers/gnss/septentrio/septentrio.cpp @@ -768,9 +768,11 @@ int SeptentrioDriver::detect_serial_port(char* const port_name) { char* port_name_address = strstr(buf, ">"); - // Check if we found a port candidate. - if (buffer_offset > 4 && port_name_address != nullptr) { - size_t port_name_offset = reinterpret_cast(port_name_address) - reinterpret_cast(buf) - 4; + // Check if we found a port candidate. The prompt must be preceded by at least + // four bytes of port name in the same buffer, otherwise the offset would + // underflow and read before buf. + if (port_name_address != nullptr && (port_name_address - buf) >= 4) { + size_t port_name_offset = static_cast(port_name_address - buf) - 4; for (size_t i = 0; i < 4; i++) { port_name[i] = buf[port_name_offset + i]; }