Skip to content

fix: guard CFE_SB_GetUserDataLength against unsigned underflow#2754

Open
stark256-spec wants to merge 1 commit into
nasa:devfrom
stark256-spec:fix/sb-getuserdatalength-underflow
Open

fix: guard CFE_SB_GetUserDataLength against unsigned underflow#2754
stark256-spec wants to merge 1 commit into
nasa:devfrom
stark256-spec:fix/sb-getuserdatalength-underflow

Conversation

@stark256-spec

Copy link
Copy Markdown

Fixes #2697. When a SB message's CCSDS Length field encodes a total smaller than the header size, the unsigned subtraction TotalMsgSize - HdrSize wraps to SIZE_MAX. Every downstream caller using this value as a buffer size or loop bound then performs an unbounded OOB read. Adds a TotalMsgSize <= HdrSize guard returning 0 for malformed messages, consistent with the existing NULL-pointer guard.

When a SB message's CCSDS Length field encodes a total smaller than
the secondary header size (e.g. Length=0 on a Cmd or Tlm message),
the unsigned subtraction TotalMsgSize - HdrSize wraps to SIZE_MAX.
Every downstream caller that uses this value as a buffer size or loop
bound then performs an unbounded OOB read.

Add a TotalMsgSize <= HdrSize guard that returns 0 for malformed
messages, consistent with the existing NULL-pointer guard above.

Fixes nasa/cFS#2697
@stark256-spec

Copy link
Copy Markdown
Author

Looks like @linerfan5114's PR #2703 was opened for this issue before mine — I wasn't aware of it when I submitted #2754. Same root cause (unsigned underflow in CFE_SB_GetUserDataLength), so no need for two fixes here.

@linerfan5114 — has #2703 merged, or is it still pending review? Happy to close #2754 as a duplicate either way, or if there's something my version handles differently that's useful, glad to fold it into yours instead. Just let me know.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

2 participants