Skip to content

fix: off-by-one in DLT_MSG_READ_STRING allows dst[length] write past buffer end#843

Closed
aki1770-del wants to merge 1 commit into
COVESA:masterfrom
aki1770-del:fix/dlt-msg-read-string-off-by-one-616
Closed

fix: off-by-one in DLT_MSG_READ_STRING allows dst[length] write past buffer end#843
aki1770-del wants to merge 1 commit into
COVESA:masterfrom
aki1770-del:fix/dlt-msg-read-string-off-by-one-616

Conversation

@aki1770-del

Copy link
Copy Markdown
Contributor

Fixes #616.

Bug

`DLT_MSG_READ_STRING` in `include/dlt/dlt_common.h` writes a null terminator at `dst[length]` after copying `length` bytes into `dst`. The guard condition `dstlength < length` allows `dstlength == length` through to the else branch, where `dst[length]` is one past the end of the buffer (valid indices: `0..dstlength-1`).

Reproducer (ASAN-confirmed, from issue):
```
dlt-convert -a ./poc.dlt
```

CWE-193 (Off-by-one).

Fix

Tighten the guard from `dstlength < length` to `dstlength <= length`, requiring the destination buffer to hold at least `length + 1` bytes before proceeding.

```diff

  •    if ((maxlength < 0) || (length <= 0) || (dstlength < length) || (maxlength < length)) \
    
  •    if ((maxlength < 0) || (length <= 0) || (dstlength <= length) || (maxlength < length)) \
    

```

Files: `include/dlt/dlt_common.h` — +1/−1


AI-assisted — authored with Claude, reviewed by Komada.

…buffer end

Guard condition dstlength < length allows dstlength == length through,
causing dst[length] = 0 to write one past end of buffer. Tighten to
dstlength <= length to require space for the null terminator.

CWE-193. Fixes COVESA#616.
@aki1770-del

Copy link
Copy Markdown
Contributor Author

Closing this one.

I opened a batch of PRs on this repo over a few days in early April without first doing the build-and-test verification a change in this codebase deserves, and they have been sitting in your queue since. Holding a review slot I didn't earn isn't fair to you, so I'm withdrawing them rather than leaving them open.

The branch stays up. If any of the diff is useful, please take it freely — no attribution needed, and no need to reply here.

Sorry for the noise.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

NULL byte overflow in dlt_message_argument_print

1 participant