Skip to content

Commit

Permalink
validate received length when decoding arrays using TAO
Browse files Browse the repository at this point in the history 
Avoids overrunning the receive array and corrupting memory.
  • Loading branch information
@tpwrules
tpwrules committed Jul 20, 2024
1 parent d9bb7ae commit 82efabc
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion templates/msg.h.em
View file
Original file line number Diff line number Diff line change
Expand Up @@ -225,10 +225,11 @@ bool _@(msg_underscored_name)_decode(const CanardRxTransfer* transfer, uint32_t*
@(ind)if (tao) {
@{indent += 1}@{ind = ' '*indent}@
@(ind)msg->@(field.name).len = 0;
@(ind)size_t max_len = @(field.type.max_size);
@(ind)uint32_t max_bits = (transfer->payload_len*8)-7; // TAO elements must be >= 8 bits
@(ind)while (max_bits > *bit_ofs) {
@{indent += 1}@{ind = ' '*indent}@
@(ind)if (_@(underscored_name(field.type.value_type))_decode(transfer, bit_ofs, &msg->@(field_get_data(field))[msg->@(field.name).len], @[if field == msg_fields[-1] and field.type.value_type.get_min_bitlen() < 8]tao && i==msg->@(field.name).len@[else]false@[end if]@)) {return true;}
@(ind)if (!max_len-- || _@(underscored_name(field.type.value_type))_decode(transfer, bit_ofs, &msg->@(field_get_data(field))[msg->@(field.name).len], @[if field == msg_fields[-1] and field.type.value_type.get_min_bitlen() < 8]tao && i==msg->@(field.name).len@[else]false@[end if]@)) {return true;}
@(ind)msg->@(field.name).len++;
@{indent -= 1}@{ind = ' '*indent}@
@(ind)}
Expand Down

0 comments on commit 82efabc

Please sign in to comment.