board_identity: Fix UUID format function buffer overflow bug

- Previously, not having a proper boundary check caused overflows in the buffer (wrong memory access) - Moreoever, negative size values getting introduced to snprintf & strncat were also being truncated to unsigned value, hence causing overflow, so index check needed to be added before both functions - Fixed typo in board_common.h
2026-05-30 04:06:33 +08:00 · 2022-09-14 11:03:29 +02:00
parent facf01d69d
commit f5215e8207
7 changed files with 28 additions and 25 deletions
@@ -40,6 +40,12 @@
 #include <px4_platform_common/px4_config.h>
 #include <stdio.h>
 #include <string.h>
+
+/**
+ * For special cases, specific boards may need to override the UUID, instead of using the generic
+ * PX4 GUID (gettable via 'board_get_px4_guid_formated' function). In that case we define the cascaded
+ * UUID function getters to incorporate the overridden UUID into the GUID.
+ */
 #if defined(BOARD_OVERRIDE_UUID) || defined(BOARD_OVERRIDE_MFGUID) || defined(BOARD_OVERRIDE_PX4_GUID)
 static const uint16_t soc_arch_id = PX4_SOC_ARCH_ID;
 static const char board_uuid[17] = BOARD_OVERRIDE_UUID;
@@ -72,11 +78,11 @@ int board_get_uuid32_formated(char *format_buffer, int size,
 	int offset = 0;
 	int sep_size = seperator ? strlen(seperator) : 0;

-	for (unsigned i = 0; i < PX4_CPU_UUID_WORD32_LENGTH; i++) {
+	for (unsigned i = 0; (offset < size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH); i++) {
 		offset += snprintf(&format_buffer[offset], size - offset, format, uuid[i]);

-		if (sep_size && i < PX4_CPU_UUID_WORD32_LENGTH - 1) {
-			strcat(&format_buffer[offset], seperator);
+		if (sep_size && (offset < size - sep_size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH - 1)) {
+			strncat(&format_buffer[offset], seperator, size - offset);
 			offset += sep_size;
 		}
 	}
@@ -946,7 +946,7 @@ int board_get_mfguid_formated(char *format_buffer, int size); // DEPRICATED use
 int board_get_px4_guid(px4_guid_t guid);

 /************************************************************************************
- * Name: board_get_mfguid_formated
+ * Name: board_get_px4_guid_formated
 *
 * Description:
 *   All boards either provide a way to retrieve a formatted string of the
@@ -100,15 +100,14 @@ int board_get_uuid32_formated(char *format_buffer, int size,
 {
 	uuid_uint32_t uuid;
 	board_get_uuid32(uuid);
-
 	int offset = 0;
 	int sep_size = seperator ? strlen(seperator) : 0;

-	for (unsigned int i = 0; i < PX4_CPU_UUID_WORD32_LENGTH; i++) {
-		offset += snprintf(&format_buffer[offset], size - ((i * 2 * sizeof(uint32_t)) + 1), format, uuid[i]);
+	for (unsigned i = 0; (offset < size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH); i++) {
+		offset += snprintf(&format_buffer[offset], size - offset, format, uuid[i]);

-		if (sep_size && i < PX4_CPU_UUID_WORD32_LENGTH - 1) {
-			strcat(&format_buffer[offset], seperator);
+		if (sep_size && (offset < size - sep_size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH - 1)) {
+			strncat(&format_buffer[offset], seperator, size - offset);
 			offset += sep_size;
 		}
 	}
@@ -71,15 +71,14 @@ int board_get_uuid32_formated(char *format_buffer, int size,
 {
 	uuid_uint32_t uuid;
 	board_get_uuid32(uuid);
-
 	int offset = 0;
 	int sep_size = seperator ? strlen(seperator) : 0;

-	for (unsigned int i = 0; i < PX4_CPU_UUID_WORD32_LENGTH; i++) {
-		offset += snprintf(&format_buffer[offset], size - ((i * 2 * sizeof(uint32_t)) + 1), format, uuid[i]);
+	for (unsigned i = 0; (offset < size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH); i++) {
+		offset += snprintf(&format_buffer[offset], size - offset, format, uuid[i]);

-		if (sep_size && i < PX4_CPU_UUID_WORD32_LENGTH - 1) {
-			strcat(&format_buffer[offset], seperator);
+		if (sep_size && (offset < size - sep_size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH - 1)) {
+			strncat(&format_buffer[offset], seperator, size - offset);
 			offset += sep_size;
 		}
 	}
@@ -71,15 +71,14 @@ int board_get_uuid32_formated(char *format_buffer, int size,
 {
 	uuid_uint32_t uuid;
 	board_get_uuid32(uuid);
-
 	int offset = 0;
 	int sep_size = seperator ? strlen(seperator) : 0;

-	for (unsigned int i = 0; i < PX4_CPU_UUID_WORD32_LENGTH; i++) {
-		offset += snprintf(&format_buffer[offset], size - ((i * 2 * sizeof(uint32_t)) + 1), format, uuid[i]);
+	for (unsigned i = 0; (offset < size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH); i++) {
+		offset += snprintf(&format_buffer[offset], size - offset, format, uuid[i]);

-		if (sep_size && i < PX4_CPU_UUID_WORD32_LENGTH - 1) {
-			strcat(&format_buffer[offset], seperator);
+		if (sep_size && (offset < size - sep_size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH - 1)) {
+			strncat(&format_buffer[offset], seperator, size - offset);
 			offset += sep_size;
 		}
 	}
@@ -65,11 +65,11 @@ int board_get_uuid32_formated(char *format_buffer, int size,
 	int offset = 0;
 	int sep_size = seperator ? strlen(seperator) : 0;

-	for (unsigned i = 0; i < PX4_CPU_UUID_WORD32_LENGTH; i++) {
+	for (unsigned i = 0; (offset < size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH); i++) {
 		offset += snprintf(&format_buffer[offset], size - offset, format, uuid[i]);

-		if (sep_size && i < PX4_CPU_UUID_WORD32_LENGTH - 1) {
-			strcat(&format_buffer[offset], seperator);
+		if (sep_size && (offset < size - sep_size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH - 1)) {
+			strncat(&format_buffer[offset], seperator, size - offset);
 			offset += sep_size;
 		}
 	}
@@ -89,11 +89,11 @@ int board_get_uuid32_formated(char *format_buffer, int size,
 	int offset = 0;
 	int sep_size = seperator ? strlen(seperator) : 0;

-	for (unsigned i = 0; i < PX4_CPU_UUID_WORD32_LENGTH; i++) {
+	for (unsigned i = 0; (offset < size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH); i++) {
 		offset += snprintf(&format_buffer[offset], size - offset, format, uuid[i]);

-		if (sep_size && i < PX4_CPU_UUID_WORD32_LENGTH - 1) {
-			strcat(&format_buffer[offset], seperator);
+		if (sep_size && (offset < size - sep_size - 1) && (i < PX4_CPU_UUID_WORD32_LENGTH - 1)) {
+			strncat(&format_buffer[offset], seperator, size - offset);
 			offset += sep_size;
 		}
 	}