Mirrors_Framework/PX4-Autopilot
1
0
Fork 0
mirror of https://github.com/PX4/PX4-Autopilot.git synced 2026-05-27 10:17:45 +08:00
Code Issues Actions 21 Packages Projects Releases Wiki Activity

mavlink: check index for out-of-bounds

Browse Source 
If a MAP_RC_PARAM message is sent with an index > 2, this would lead
to undefined behaviour or a segfault/hardfault.
This commit is contained in:
Julian Oes
2020-12-08 08:36:45 +13:00
committed by Beat Küng
parent dd4ee5c48c
commit a1b54eb655
1 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/modules/mavlink/mavlink_parameters.cpp
+7
View File
@@ -44,6 +44,7 @@
#include "mavlink_parameters.h" #include "mavlink_parameters.h"
#include "mavlink_main.h" #include "mavlink_main.h"
#include <lib/systemlib/mavlink_log.h>
MavlinkParametersManager::MavlinkParametersManager(Mavlink *mavlink) : MavlinkParametersManager::MavlinkParametersManager(Mavlink *mavlink) :
_mavlink(mavlink) _mavlink(mavlink)
@@ -245,6 +246,12 @@ MavlinkParametersManager::handle_message(const mavlink_message_t *msg)
/* Copy values from msg to uorb using the parameter_rc_channel_index as index */ /* Copy values from msg to uorb using the parameter_rc_channel_index as index */
size_t i = map_rc.parameter_rc_channel_index; size_t i = map_rc.parameter_rc_channel_index;
if (i >= sizeof(_rc_param_map.param_index) / sizeof(_rc_param_map.param_index[0])) {
mavlink_log_warning(_mavlink->get_mavlink_log_pub(), "parameter_rc_channel_index out of bounds");
break;
}
_rc_param_map.param_index[i] = map_rc.param_index; _rc_param_map.param_index[i] = map_rc.param_index;
strncpy(&(_rc_param_map.param_id[i * (rc_parameter_map_s::PARAM_ID_LEN + 1)]), map_rc.param_id, strncpy(&(_rc_param_map.param_id[i * (rc_parameter_map_s::PARAM_ID_LEN + 1)]), map_rc.param_id,
MAVLINK_MSG_PARAM_VALUE_FIELD_PARAM_ID_LEN); MAVLINK_MSG_PARAM_VALUE_FIELD_PARAM_ID_LEN);