fix: validate optData length in FCP_Get_OptData to prevent buffer overflow#7
Open
steps-re wants to merge 1 commit into
Open
fix: validate optData length in FCP_Get_OptData to prevent buffer overflow#7steps-re wants to merge 1 commit into
steps-re wants to merge 1 commit into
Conversation
…rflow FCP_Get_OptData() read the optional-data length byte straight from the received frame and memcpy'd that many bytes into the caller's optData buffer without checking it against the actual frame length. A malformed or corrupted unencrypted frame (the length byte is attacker/noise controlled and unauthenticated) could therefore declare up to 255 bytes and overrun the caller's buffer while parsing an incoming RF frame. FCP_Get_OptData_Length() already guards this exact case and returns ERR_LENGTH_MISMATCH. Apply the same check in FCP_Get_OptData() before the memcpy. Valid frames are unaffected (the declared length equals the bytes present); malformed frames now return ERR_LENGTH_MISMATCH instead of overflowing. Verified on a host build (identity-AES stub) under AddressSanitizer: encrypted and unencrypted round-trips still decode correctly, and a frame with a length byte of 200 into an 8-byte buffer now returns -4 instead of triggering an overflow. Signed-off-by: Mike German <mike@stepsventures.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
FCP_Get_OptData()can overflow the caller'soptDatabuffer when parsing a malformed frame.Details
The function reads the optional-data length byte from a received frame and
memcpys that many bytes into the caller's buffer with no bounds check. On the unencrypted path that length byte is unauthenticated (attacker- or noise-controlled), so a corrupted RF frame can declare up to 255 bytes and overrunoptDatawhile parsing an incoming frame. The siblingFCP_Get_OptData_Length()already validates exactly this condition and returnsERR_LENGTH_MISMATCH;FCP_Get_OptData()did not.Fix
Add the same length check before the
memcpy, returningERR_LENGTH_MISMATCHon mismatch. Valid frames (declared length == bytes present) are unaffected.Verification
FOSSA-Comms.cppagainst minimal Arduino/AES stubs, built withg++ -fsanitize=address.FOSSA-Comms.cpp:188.ERR_LENGTH_MISMATCHwith ASan clean.Scope note: the encrypted path has an analogous copy behind the AES password check (authenticated, much lower risk); I kept this PR tight to the clearly-exploitable unauthenticated path.