Mirrors_Framework/PX4-Autopilot
1
0
Fork 0
mirror of https://github.com/PX4/PX4-Autopilot.git synced 2026-05-31 10:26:52 +08:00
Code Issues Actions 7 Packages Projects Releases Wiki Activity

board_identity: Fix UUID format function buffer overflow bug

Browse Source 
- Previously, not having a proper boundary check caused overflows in the
buffer (wrong memory access)
- Moreoever, negative size values getting introduced to snprintf &
strncat were also being truncated to unsigned value, hence causing
overflow, so index check needed to be added before both functions
- Fixed typo in board_common.h
This commit is contained in:
Junwoo Hwang
2022-09-14 11:03:29 +02:00
committed by Daniel Agar
parent facf01d69d
commit f5215e8207
7 changed files with 28 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files
platforms/common/board_identity.c
+9 -3
View File
@@ -40,6 +40,12 @@
#include <px4_platform_common/px4_config.h> #include <px4_platform_common/px4_config.h>
#include <stdio.h> #include <stdio.h>
#include <string.h> #include <string.h>
/**
* For special cases, specific boards may need to override the UUID, instead of using the generic
* PX4 GUID (gettable via 'board_get_px4_guid_formated' function). In that case we define the cascaded
* UUID function getters to incorporate the overridden UUID into the GUID.
*/
#if defined(BOARD_OVERRIDE_UUID) || defined(BOARD_OVERRIDE_MFGUID) || defined(BOARD_OVERRIDE_PX4_GUID) #if defined(BOARD_OVERRIDE_UUID) || defined(BOARD_OVERRIDE_MFGUID) || defined(BOARD_OVERRIDE_PX4_GUID)
static const uint16_t soc_arch_id = PX4_SOC_ARCH_ID; static const uint16_t soc_arch_id = PX4_SOC_ARCH_ID;
static const char board_uuid[17] = BOARD_OVERRIDE_UUID; static const char board_uuid[17] = BOARD_OVERRIDE_UUID;
@@ -72,11 +78,11 @@ int board_get_uuid32_formated(char *format_buffer, int size,
int offset = 0; int offset = 0;
int sep_size = seperator ? strlen(seperator) : 0; int sep_size = seperator ? strlen(seperator) : 0;
for (unsigned i = 0; i < PX4_CPU_UUID_WORD32_LENGTH; i++) { for (unsigned i = 0; (offset < size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH); i++) {
offset += snprintf(&format_buffer[offset], size - offset, format, uuid[i]); offset += snprintf(&format_buffer[offset], size - offset, format, uuid[i]);
if (sep_size && i < PX4_CPU_UUID_WORD32_LENGTH - 1) { if (sep_size && (offset < size - sep_size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH - 1)) {
strcat(&format_buffer[offset], seperator); strncat(&format_buffer[offset], seperator, size - offset);
offset += sep_size; offset += sep_size;
} }
} }
platforms/common/include/px4_platform_common/board_common.h
+1 -1
View File
@@ -946,7 +946,7 @@ int board_get_mfguid_formated(char *format_buffer, int size); // DEPRICATED use
int board_get_px4_guid(px4_guid_t guid); int board_get_px4_guid(px4_guid_t guid);
/************************************************************************************ /************************************************************************************
* Name: board_get_mfguid_formated * Name: board_get_px4_guid_formated
* *
* Description: * Description:
* All boards either provide a way to retrieve a formatted string of the * All boards either provide a way to retrieve a formatted string of the
platforms/nuttx/src/px4/nxp/imxrt/version/board_identity.c
+4 -5
View File
@@ -100,15 +100,14 @@ int board_get_uuid32_formated(char *format_buffer, int size,
{ {
uuid_uint32_t uuid; uuid_uint32_t uuid;
board_get_uuid32(uuid); board_get_uuid32(uuid);
int offset = 0; int offset = 0;
int sep_size = seperator ? strlen(seperator) : 0; int sep_size = seperator ? strlen(seperator) : 0;
for (unsigned int i = 0; i < PX4_CPU_UUID_WORD32_LENGTH; i++) { for (unsigned i = 0; (offset < size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH); i++) {
offset += snprintf(&format_buffer[offset], size - ((i * 2 * sizeof(uint32_t)) + 1), format, uuid[i]); offset += snprintf(&format_buffer[offset], size - offset, format, uuid[i]);
if (sep_size && i < PX4_CPU_UUID_WORD32_LENGTH - 1) { if (sep_size && (offset < size - sep_size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH - 1)) {
strcat(&format_buffer[offset], seperator); strncat(&format_buffer[offset], seperator, size - offset);
offset += sep_size; offset += sep_size;
} }
} }
platforms/nuttx/src/px4/nxp/kinetis/version/board_identity.c
+4 -5
View File
@@ -71,15 +71,14 @@ int board_get_uuid32_formated(char *format_buffer, int size,
{ {
uuid_uint32_t uuid; uuid_uint32_t uuid;
board_get_uuid32(uuid); board_get_uuid32(uuid);
int offset = 0; int offset = 0;
int sep_size = seperator ? strlen(seperator) : 0; int sep_size = seperator ? strlen(seperator) : 0;
for (unsigned int i = 0; i < PX4_CPU_UUID_WORD32_LENGTH; i++) { for (unsigned i = 0; (offset < size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH); i++) {
offset += snprintf(&format_buffer[offset], size - ((i * 2 * sizeof(uint32_t)) + 1), format, uuid[i]); offset += snprintf(&format_buffer[offset], size - offset, format, uuid[i]);
if (sep_size && i < PX4_CPU_UUID_WORD32_LENGTH - 1) { if (sep_size && (offset < size - sep_size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH - 1)) {
strcat(&format_buffer[offset], seperator); strncat(&format_buffer[offset], seperator, size - offset);
offset += sep_size; offset += sep_size;
} }
} }
platforms/nuttx/src/px4/nxp/s32k1xx/version/board_identity.c
+4 -5
View File
@@ -71,15 +71,14 @@ int board_get_uuid32_formated(char *format_buffer, int size,
{ {
uuid_uint32_t uuid; uuid_uint32_t uuid;
board_get_uuid32(uuid); board_get_uuid32(uuid);
int offset = 0; int offset = 0;
int sep_size = seperator ? strlen(seperator) : 0; int sep_size = seperator ? strlen(seperator) : 0;
for (unsigned int i = 0; i < PX4_CPU_UUID_WORD32_LENGTH; i++) { for (unsigned i = 0; (offset < size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH); i++) {
offset += snprintf(&format_buffer[offset], size - ((i * 2 * sizeof(uint32_t)) + 1), format, uuid[i]); offset += snprintf(&format_buffer[offset], size - offset, format, uuid[i]);
if (sep_size && i < PX4_CPU_UUID_WORD32_LENGTH - 1) { if (sep_size && (offset < size - sep_size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH - 1)) {
strcat(&format_buffer[offset], seperator); strncat(&format_buffer[offset], seperator, size - offset);
offset += sep_size; offset += sep_size;
} }
} }
platforms/nuttx/src/px4/rpi/rpi_common/version/board_identity.c
+3 -3
View File
@@ -65,11 +65,11 @@ int board_get_uuid32_formated(char *format_buffer, int size,
int offset = 0; int offset = 0;
int sep_size = seperator ? strlen(seperator) : 0; int sep_size = seperator ? strlen(seperator) : 0;
for (unsigned i = 0; i < PX4_CPU_UUID_WORD32_LENGTH; i++) { for (unsigned i = 0; (offset < size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH); i++) {
offset += snprintf(&format_buffer[offset], size - offset, format, uuid[i]); offset += snprintf(&format_buffer[offset], size - offset, format, uuid[i]);
if (sep_size && i < PX4_CPU_UUID_WORD32_LENGTH - 1) { if (sep_size && (offset < size - sep_size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH - 1)) {
strcat(&format_buffer[offset], seperator); strncat(&format_buffer[offset], seperator, size - offset);
offset += sep_size; offset += sep_size;
} }
} }
platforms/nuttx/src/px4/stm/stm32_common/version/board_identity.c
+3 -3
View File
@@ -89,11 +89,11 @@ int board_get_uuid32_formated(char *format_buffer, int size,
int offset = 0; int offset = 0;
int sep_size = seperator ? strlen(seperator) : 0; int sep_size = seperator ? strlen(seperator) : 0;
for (unsigned i = 0; i < PX4_CPU_UUID_WORD32_LENGTH; i++) { for (unsigned i = 0; (offset < size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH); i++) {
offset += snprintf(&format_buffer[offset], size - offset, format, uuid[i]); offset += snprintf(&format_buffer[offset], size - offset, format, uuid[i]);
if (sep_size && i < PX4_CPU_UUID_WORD32_LENGTH - 1) { if (sep_size && (offset < size - sep_size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH - 1)) {
strcat(&format_buffer[offset], seperator); strncat(&format_buffer[offset], seperator, size - offset);
offset += sep_size; offset += sep_size;
} }
} }