From b6bc30fef7e019eadea8ba13dada94c381ac84e2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beat=20K=C3=BCng?= Date: Wed, 8 Dec 2021 07:19:07 +0100 Subject: [PATCH] fix MavlinkConsoleController: avoid buffer out-of-bound access (#10062) mavlink_msg_serial_control_pack_chan expects MAVLINK_MSG_SERIAL_CONTROL_FIELD_DATA_LEN bytes for 'data', but 'chuck' might be smaller than that. --- src/AnalyzeView/MavlinkConsoleController.cc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/AnalyzeView/MavlinkConsoleController.cc b/src/AnalyzeView/MavlinkConsoleController.cc index 5f67a24..6ef0952 100644 --- a/src/AnalyzeView/MavlinkConsoleController.cc +++ b/src/AnalyzeView/MavlinkConsoleController.cc @@ -143,6 +143,8 @@ MavlinkConsoleController::_sendSerialData(QByteArray data, bool close) // Send maximum sized chunks until the complete buffer is transmitted while(data.size()) { QByteArray chunk{data.left(MAVLINK_MSG_SERIAL_CONTROL_FIELD_DATA_LEN)}; + // Ensure the buffer is large enough, as the MAVLink parser expects MAVLINK_MSG_SERIAL_CONTROL_FIELD_DATA_LEN bytes + chunk.append(MAVLINK_MSG_SERIAL_CONTROL_FIELD_DATA_LEN - chunk.size(), '\0'); uint8_t flags = SERIAL_CONTROL_FLAG_EXCLUSIVE | SERIAL_CONTROL_FLAG_RESPOND | SERIAL_CONTROL_FLAG_MULTI; if (close) flags = 0; auto protocol = qgcApp()->toolbox()->mavlinkProtocol();