Commit eaff818
committed
fix: restore description_length cap in V2 register_application and register_context
The DLTv2 IPC registration handlers have their description_length
sanity guards commented out, while the equivalent V1 code paths apply
them correctly. This allows an attacker-controlled description_length
(uint32) to be passed directly to dlt_receiver_check_and_get, which
calls memcpy into a 257-byte stack buffer (description[DLT_DAEMON_DESCSIZE + 1]),
causing a stack buffer overflow.
Uncomment the existing guards in both V2 code paths to clamp
description_length to DLT_DAEMON_DESCSIZE (256).
Affected functions:
- dlt_daemon_process_user_message_register_application (V2 branch, ~line 4012)
- dlt_daemon_process_user_message_register_context (V2 branch, ~line 4301)
Signed-off-by: Ian Chu <ian_chu@vicone.com>1 parent fd1fbf8 commit eaff818
1 file changed
Lines changed: 8 additions & 8 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
4009 | 4009 | | |
4010 | 4010 | | |
4011 | 4011 | | |
4012 | | - | |
4013 | | - | |
4014 | | - | |
4015 | | - | |
| 4012 | + | |
| 4013 | + | |
| 4014 | + | |
| 4015 | + | |
4016 | 4016 | | |
4017 | 4017 | | |
4018 | 4018 | | |
| |||
4298 | 4298 | | |
4299 | 4299 | | |
4300 | 4300 | | |
4301 | | - | |
4302 | | - | |
4303 | | - | |
4304 | | - | |
| 4301 | + | |
| 4302 | + | |
| 4303 | + | |
| 4304 | + | |
4305 | 4305 | | |
4306 | 4306 | | |
4307 | 4307 | | |
| |||
0 commit comments