From f1ba0c0355f2f7e22cee2ad79642c1bcb1f5c789 Mon Sep 17 00:00:00 2001 From: Peter Barker Date: Fri, 27 Mar 2026 18:02:07 +1100 Subject: [PATCH] AP_ADSB: avoid buffer overwrite in AP_ADSB_Sagetech_MXS we were not bounds-checking the off-wire length, and then reading many bytes into a target buffer based on it. Do the bounds check. Also remove the writing of the checksum into the payload buffer - this was the notional 1-byte overwrite --- libraries/AP_ADSB/AP_ADSB_Sagetech_MXS.cpp | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/libraries/AP_ADSB/AP_ADSB_Sagetech_MXS.cpp b/libraries/AP_ADSB/AP_ADSB_Sagetech_MXS.cpp index ec4e49b7d4c7b..e0a082aee9327 100644 --- a/libraries/AP_ADSB/AP_ADSB_Sagetech_MXS.cpp +++ b/libraries/AP_ADSB/AP_ADSB_Sagetech_MXS.cpp @@ -279,6 +279,12 @@ bool AP_ADSB_Sagetech_MXS::parse_byte(const uint8_t data) case ParseState::WaitingFor_PayloadLen: message_in.checksum += data; message_in.packet.payload_length = data; + // the checksum is also appended to the payload array, so + // we only allow a 254 byte payload here: + if (message_in.packet.payload_length >= ARRAY_SIZE(message_in.packet.payload)) { + message_in.state = ParseState::WaitingFor_Start; + break; + } message_in.index = 0; message_in.state = (data == 0) ? ParseState::WaitingFor_Checksum : ParseState::WaitingFor_PayloadContents; break;