Skip to content

Commit

Permalink
fix lightware_laser_serial: prevent potential heap buffer overflow (#…
Browse files Browse the repository at this point in the history 
…22202)

In the lightware_parser function, LW_PARSE_STATE2_GOT_DIGIT0 state can be repeated unexpectedly without proper parserbuf_index or state checking. This behavior will trigger a heap buffer overflow vulnerability by allowing to write some data. And the writable size is sizeof(unsigned).
  • Loading branch information
@zeroone-kr
zeroone-kr authored Oct 11, 2023
1 parent 5352a64 commit 6dfede0
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions src/drivers/distance_sensor/lightware_laser_serial/lightware_laser_serial.cpp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -219,6 +219,11 @@ int LightwareLaserSerial::collect()

} else {
for (int i = 0; i < ret; i++) {
// Check for overflow
if (_linebuf_index >= sizeof(_linebuf)) {
_parse_state = LW_PARSE_STATE0_UNSYNC;
}

if (OK == lightware_parser(readbuf[i], _linebuf, &_linebuf_index, &_parse_state, &distance_m)) {
valid = true;
}
Expand Down

1 comment on commit 6dfede0

@zeroone-kr
Copy link
Contributor Author

@zeroone-kr zeroone-kr commented on 6dfede0 Oct 11, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The commit message is not correct, The writable size is maximum value of unsigned int

Please sign in to comment.