Skip to content

Commit

Permalink
sbf: fix overrun on invalid length
Browse files Browse the repository at this point in the history 
Before checking the CRC across header and payload, we need to check if
the length is valid. If the length is longer than what we have read into
the buffer, it must be invalid and we don't have to bother with the CRC.

This should fix a potential segfault where the CRC overruns the
allocated buffer due to a corrupt length field.
  • Loading branch information
@julianoes @bkueng
julianoes authored and bkueng committed Jun 2, 2022
1 parent 181fae1 commit 016c37c
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion src/sbf.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -462,7 +462,9 @@ int GPSDriverSBF::payloadRxDone()
struct tm timeinfo;
time_t epoch;

if (_buf.length <= 4 || _buf.crc16 != crc16(reinterpret_cast<uint8_t *>(&_buf) + 4, _buf.length - 4)) {
if (_buf.length <= 4 ||
_buf.length > _rx_payload_index ||
_buf.crc16 != crc16(reinterpret_cast<uint8_t *>(&_buf) + 4, _buf.length - 4)) {
return 0;
}

Expand Down

0 comments on commit 016c37c

Please sign in to comment.