Potential Buffer Overrun in CANMessage Constructor #12311
Labels
Comments
|
Internal Jira reference: https://jira.arm.com/browse/MBOTRIAGE-2521 |
|
@daniel-starke Thanks for the report. Can you please send a pull request fixing this issue? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description of defect
The CANMessage constructor takes data and length in two variants. Both variants limit the length to 8 byte when setting the internal length member but fail to use that instead of the unlimited input parameter _len when performing the memcpy() from the passed data pointer. This leads into a potential buffer overrun if an invalid data length is passed to the constructor. I suggest to use len instead of _len for memcpy() in both instances of the constructor. See source code.
Target(s) affected by this defect ?
Every target that supports the CAN bus.
Toolchain(s) (name and version) displaying this defect ?
None. This was found by manual code analysis.
What version of Mbed-os are you using (tag or sha) ?
mbed-os-99.99.99
sha: 5933dec
What version(s) of tools are you using. List all that apply (E.g. mbed-cli)
None.
How is this defect reproduced ?
Code analysis.
The text was updated successfully, but these errors were encountered: