Mirrors_Framework/PX4-Autopilot
1
0
Fork 0
mirror of https://github.com/PX4/PX4-Autopilot.git synced 2026-05-28 19:32:36 +08:00
Code Issues Actions 10 Packages Projects Releases Wiki Activity

board_identity: Fix UUID format function buffer overflow bug

Browse Source 
- Previously, not having a proper boundary check caused overflows in the
buffer (wrong memory access)
- Moreoever, negative size values getting introduced to snprintf &
strncat were also being truncated to unsigned value, hence causing
overflow, so index check needed to be added before both functions
- Fixed typo in board_common.h
This commit is contained in:
Junwoo Hwang
2022-09-14 11:03:29 +02:00
committed by Daniel Agar
parent facf01d69d
commit f5215e8207
7 changed files with 28 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files
platforms/nuttx/src/px4/nxp/imxrt/version/board_identity.c
+4 -5
View File
@@ -100,15 +100,14 @@ int board_get_uuid32_formated(char *format_buffer, int size,
{
uuid_uint32_t uuid;
board_get_uuid32(uuid);
int offset = 0;
int sep_size = seperator ? strlen(seperator) : 0;
for (unsigned int i = 0; i < PX4_CPU_UUID_WORD32_LENGTH; i++) {
offset += snprintf(&format_buffer[offset], size - ((i * 2 * sizeof(uint32_t)) + 1), format, uuid[i]);
for (unsigned i = 0; (offset < size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH); i++) {
offset += snprintf(&format_buffer[offset], size - offset, format, uuid[i]);
if (sep_size && i < PX4_CPU_UUID_WORD32_LENGTH - 1) {
strcat(&format_buffer[offset], seperator);
if (sep_size && (offset < size - sep_size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH - 1)) {
strncat(&format_buffer[offset], seperator, size - offset);
offset += sep_size;
}
}
platforms/nuttx/src/px4/nxp/kinetis/version/board_identity.c
+4 -5
View File
@@ -71,15 +71,14 @@ int board_get_uuid32_formated(char *format_buffer, int size,
{
uuid_uint32_t uuid;
board_get_uuid32(uuid);
int offset = 0;
int sep_size = seperator ? strlen(seperator) : 0;
for (unsigned int i = 0; i < PX4_CPU_UUID_WORD32_LENGTH; i++) {
offset += snprintf(&format_buffer[offset], size - ((i * 2 * sizeof(uint32_t)) + 1), format, uuid[i]);
for (unsigned i = 0; (offset < size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH); i++) {
offset += snprintf(&format_buffer[offset], size - offset, format, uuid[i]);
if (sep_size && i < PX4_CPU_UUID_WORD32_LENGTH - 1) {
strcat(&format_buffer[offset], seperator);
if (sep_size && (offset < size - sep_size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH - 1)) {
strncat(&format_buffer[offset], seperator, size - offset);
offset += sep_size;
}
}
platforms/nuttx/src/px4/nxp/s32k1xx/version/board_identity.c
+4 -5
View File
@@ -71,15 +71,14 @@ int board_get_uuid32_formated(char *format_buffer, int size,
{
uuid_uint32_t uuid;
board_get_uuid32(uuid);
int offset = 0;
int sep_size = seperator ? strlen(seperator) : 0;
for (unsigned int i = 0; i < PX4_CPU_UUID_WORD32_LENGTH; i++) {
offset += snprintf(&format_buffer[offset], size - ((i * 2 * sizeof(uint32_t)) + 1), format, uuid[i]);
for (unsigned i = 0; (offset < size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH); i++) {
offset += snprintf(&format_buffer[offset], size - offset, format, uuid[i]);
if (sep_size && i < PX4_CPU_UUID_WORD32_LENGTH - 1) {
strcat(&format_buffer[offset], seperator);
if (sep_size && (offset < size - sep_size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH - 1)) {
strncat(&format_buffer[offset], seperator, size - offset);
offset += sep_size;
}
}
platforms/nuttx/src/px4/rpi/rpi_common/version/board_identity.c
+3 -3
View File
@@ -65,11 +65,11 @@ int board_get_uuid32_formated(char *format_buffer, int size,
int offset = 0;
int sep_size = seperator ? strlen(seperator) : 0;
for (unsigned i = 0; i < PX4_CPU_UUID_WORD32_LENGTH; i++) {
for (unsigned i = 0; (offset < size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH); i++) {
offset += snprintf(&format_buffer[offset], size - offset, format, uuid[i]);
if (sep_size && i < PX4_CPU_UUID_WORD32_LENGTH - 1) {
strcat(&format_buffer[offset], seperator);
if (sep_size && (offset < size - sep_size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH - 1)) {
strncat(&format_buffer[offset], seperator, size - offset);
offset += sep_size;
}
}
platforms/nuttx/src/px4/stm/stm32_common/version/board_identity.c
+3 -3
View File
@@ -89,11 +89,11 @@ int board_get_uuid32_formated(char *format_buffer, int size,
int offset = 0;
int sep_size = seperator ? strlen(seperator) : 0;
for (unsigned i = 0; i < PX4_CPU_UUID_WORD32_LENGTH; i++) {
for (unsigned i = 0; (offset < size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH); i++) {
offset += snprintf(&format_buffer[offset], size - offset, format, uuid[i]);
if (sep_size && i < PX4_CPU_UUID_WORD32_LENGTH - 1) {
strcat(&format_buffer[offset], seperator);
if (sep_size && (offset < size - sep_size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH - 1)) {
strncat(&format_buffer[offset], seperator, size - offset);
offset += sep_size;
}
}