From f6a410f38c9a340f0b64e6f3c48a3566dfd8e8da Mon Sep 17 00:00:00 2001 From: BOB4Drone <91944211+BOB4Drone@users.noreply.github.com> Date: Thu, 25 Nov 2021 20:15:01 +0900 Subject: [PATCH] Vehicle: fix potential out-of-bound access when receiving LOGGING_DATA* msg FIX issue #10037 --- src/Vehicle/Vehicle.cc | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/src/Vehicle/Vehicle.cc b/src/Vehicle/Vehicle.cc index fc11442..e9e0f04 100644 --- a/src/Vehicle/Vehicle.cc +++ b/src/Vehicle/Vehicle.cc @@ -3421,8 +3421,12 @@ void Vehicle::_handleMavlinkLoggingData(mavlink_message_t& message) { mavlink_logging_data_t log; mavlink_msg_logging_data_decode(&message, &log); - emit mavlinkLogData(this, log.target_system, log.target_component, log.sequence, - log.first_message_offset, QByteArray((const char*)log.data, log.length), false); + if (static_cast(log.length) > sizeof(log.data)) { + qWarning() << "Invalid length for LOGGING_DATA, discarding." << log.length; + } else { + emit mavlinkLogData(this, log.target_system, log.target_component, log.sequence, + log.first_message_offset, QByteArray((const char*)log.data, log.length), false); + } } void Vehicle::_handleMavlinkLoggingDataAcked(mavlink_message_t& message) @@ -3430,8 +3434,12 @@ void Vehicle::_handleMavlinkLoggingDataAcked(mavlink_message_t& message) mavlink_logging_data_acked_t log; mavlink_msg_logging_data_acked_decode(&message, &log); _ackMavlinkLogData(log.sequence); - emit mavlinkLogData(this, log.target_system, log.target_component, log.sequence, - log.first_message_offset, QByteArray((const char*)log.data, log.length), true); + if (static_cast(log.length) > sizeof(log.data)) { + qWarning() << "Invalid length for LOGGING_DATA_ACKED, discarding." << log.length; + } else { + emit mavlinkLogData(this, log.target_system, log.target_component, log.sequence, + log.first_message_offset, QByteArray((const char*)log.data, log.length), false); + } } void Vehicle::setFirmwarePluginInstanceData(QObject* firmwarePluginInstanceData)