fix critical array overrun bug (incomingUBX->payload[] index was only checked against MAX_PAYLOAD_SIZE, but incomingUBX can also be packetAck or packetBuf which have much smaller buffers of only 2 bytes)

nelarsen · nelarsen · commit 386e0de91e8c · 2020-11-28T17:30:28.000+01:00
diff --git a/src/SparkFun_Ublox_Arduino_Library.cpp b/src/SparkFun_Ublox_Arduino_Library.cpp
@@ -760,6 +760,9 @@ void SFE_UBLOX_GPS::processRTCM(uint8_t incoming)
 //a subset of bytes within a larger packet.
 void SFE_UBLOX_GPS::processUBX(uint8_t incoming, ubxPacket *incomingUBX, uint8_t requestedClass, uint8_t requestedID)
 {
+   size_t max_payload_size = (activePacketBuffer == SFE_UBLOX_PACKET_PACKETCFG) ? MAX_PAYLOAD_SIZE : 2;
+   bool overrun = false;
+
   //Add all incoming bytes to the rolling checksum
   //Stop at len+4 as this is the checksum bytes to that should not be added to the rolling checksum
   if (incomingUBX->counter < incomingUBX->len + 4)
@@ -931,18 +934,22 @@ void SFE_UBLOX_GPS::processUBX(uint8_t incoming, ubxPacket *incomingUBX, uint8_t
       if ((incomingUBX->counter - 4) >= startingSpot)
       {
         //Check to see if we have room for this byte
-        if (((incomingUBX->counter - 4) - startingSpot) < MAX_PAYLOAD_SIZE) //If counter = 208, starting spot = 200, we're good to record.
+        if (((incomingUBX->counter - 4) - startingSpot) < max_payload_size) //If counter = 208, starting spot = 200, we're good to record.
         {
           incomingUBX->payload[incomingUBX->counter - 4 - startingSpot] = incoming; //Store this byte into payload array
         }
+        else
+        {
+          overrun = true;
+        }
       }
     }
   }
 
   //Increment the counter
   incomingUBX->counter++;
 
-  if (incomingUBX->counter == MAX_PAYLOAD_SIZE)
+  if (overrun or incomingUBX->counter == MAX_PAYLOAD_SIZE)
   {
     //Something has gone very wrong
     currentSentence = NONE; //Reset the sentence to being looking for a new start char

Original file line number	Diff line number	Diff line change
`@@ -760,6 +760,9 @@ void SFE_UBLOX_GPS::processRTCM(uint8_t incoming)`
`760`	`760`	`//a subset of bytes within a larger packet.`
`761`	`761`	`void SFE_UBLOX_GPS::processUBX(uint8_t incoming, ubxPacket *incomingUBX, uint8_t requestedClass, uint8_t requestedID)`
`762`	`762`	`{`
	`763`	`+ size_t max_payload_size = (activePacketBuffer == SFE_UBLOX_PACKET_PACKETCFG) ? MAX_PAYLOAD_SIZE : 2;`
	`764`	`+ bool overrun = false;`
	`765`	`+`
`763`	`766`	`//Add all incoming bytes to the rolling checksum`
`764`	`767`	`//Stop at len+4 as this is the checksum bytes to that should not be added to the rolling checksum`
`765`	`768`	`if (incomingUBX->counter < incomingUBX->len + 4)`
`@@ -931,18 +934,22 @@ void SFE_UBLOX_GPS::processUBX(uint8_t incoming, ubxPacket *incomingUBX, uint8_t`
`931`	`934`	`if ((incomingUBX->counter - 4) >= startingSpot)`
`932`	`935`	`{`
`933`	`936`	`//Check to see if we have room for this byte`
`934`		`- if (((incomingUBX->counter - 4) - startingSpot) < MAX_PAYLOAD_SIZE) //If counter = 208, starting spot = 200, we're good to record.`
	`937`	`+ if (((incomingUBX->counter - 4) - startingSpot) < max_payload_size) //If counter = 208, starting spot = 200, we're good to record.`
`935`	`938`	`{`
`936`	`939`	`incomingUBX->payload[incomingUBX->counter - 4 - startingSpot] = incoming; //Store this byte into payload array`
`937`	`940`	`}`
	`941`	`+ else`
	`942`	`+ {`
	`943`	`+ overrun = true;`
	`944`	`+ }`
`938`	`945`	`}`
`939`	`946`	`}`
`940`	`947`	`}`
`941`	`948`
`942`	`949`	`//Increment the counter`
`943`	`950`	`incomingUBX->counter++;`
`944`	`951`
`945`		`- if (incomingUBX->counter == MAX_PAYLOAD_SIZE)`
	`952`	`+ if (overrun or incomingUBX->counter == MAX_PAYLOAD_SIZE)`
`946`	`953`	`{`
`947`	`954`	`//Something has gone very wrong`
`948`	`955`	`currentSentence = NONE; //Reset the sentence to being looking for a new start char`