Mirrors_Framework/nuttx
1
0
Fork 0
mirror of https://github.com/apache/nuttx.git synced 2026-05-20 20:44:39 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

drivers/can: protect against write buffer overrun

Browse Source 
The message size is being calculated from the message itself. If
application sets value cm_hdr.ch_dlc greater than buflen (that is
size_t) then calculation in while condition underflows and multiple
messages are attempted to be sent.

This check prevents that by verifying that the message size that was
encoded in the dlc is not greater than indicated size of the buffer.

Signed-off-by: Karel Kočí <cynerd@email.cz>
This commit is contained in:
Karel Kočí
2025-10-14 15:41:52 +02:00
committed by Xiang Xiao
parent 3577254d9f
commit a19971f1bc
1 changed files with 7 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
drivers/can/can.c
+7
View File
@@ -679,6 +679,13 @@ static ssize_t can_write(FAR struct file *filep, FAR const char *buffer,
nbytes = can_dlc2bytes(msg->cm_hdr.ch_dlc);
msglen = CAN_MSGLEN(nbytes);
if (nsent + msglen > buflen)
{
/* Do not send message if not fully passed. */
break;
}
can_add_sendnode(sender, msg, msglen);
/* Increment the number of bytes that were sent */