Commit c7e904c
committed
lib: fix heap buffer overflow in dlt_with_filename_and_line_number
When the source filename string is longer than 255 bytes,
dlt_with_filename_and_line_number(fina, linr) overflows the heap
buffer it allocates for dlt_user.filename:
dlt_user.filenamelen = (uint8_t)strlen(fina); // truncates
...
dlt_user.filename = malloc(dlt_user.filenamelen + 1); // small
strcpy(dlt_user.filename, fina); // full
filenamelen is uint8_t (matching the V2 wire-format field width
declared in include/dlt/dlt_user.h.in), so the cast truncates
strlen(fina) modulo 256. The subsequent malloc allocates the
truncated length + 1, but strcpy copies the entire fina including
its real terminator, writing strlen(fina) - filenamelen bytes past
the end of the heap chunk.
Reachable in practice via long compile-time __FILE__ paths
(monorepo-rooted absolute paths) and any application that forwards
a user-controlled filename through this function.
Fix: clamp strlen(fina) to UINT8_MAX before assigning filenamelen,
allocate against the clamped length, and copy with memcpy + explicit
null terminator instead of strcpy. The on-wire field still gets the
truncated length, which matches the maximum the V2 protocol can
encode.1 parent fd1fbf8 commit c7e904c
1 file changed
Lines changed: 13 additions & 3 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
4673 | 4673 | | |
4674 | 4674 | | |
4675 | 4675 | | |
4676 | | - | |
| 4676 | + | |
| 4677 | + | |
| 4678 | + | |
| 4679 | + | |
| 4680 | + | |
| 4681 | + | |
| 4682 | + | |
| 4683 | + | |
| 4684 | + | |
| 4685 | + | |
4677 | 4686 | | |
4678 | 4687 | | |
4679 | 4688 | | |
4680 | 4689 | | |
4681 | 4690 | | |
4682 | | - | |
| 4691 | + | |
4683 | 4692 | | |
4684 | 4693 | | |
4685 | 4694 | | |
4686 | 4695 | | |
4687 | | - | |
| 4696 | + | |
| 4697 | + | |
4688 | 4698 | | |
4689 | 4699 | | |
4690 | 4700 | | |
| |||
0 commit comments