daemon: fix out-of-bounds read in dlt_daemon_control_set_log_level_v2#862
Open
SoundMatt wants to merge 1 commit into
Open
daemon: fix out-of-bounds read in dlt_daemon_control_set_log_level_v2#862SoundMatt wants to merge 1 commit into
SoundMatt wants to merge 1 commit into
Conversation
Mirror of COVESA#861 for the parallel SET_LOG_LEVEL V2 control handler. The fixed-size precheck validates only the 11-byte minimum SET_LOG_LEVEL V2 request (apidlen = ctidlen = 0). The function then reads two attacker- controlled uint8_t length fields (apidlen, ctidlen) and uses them to advance an offset into msg->databuffer, before passing pointers into the buffer to dlt_set_id_v2() (which reads up to apidlen / ctidlen bytes), a 1-byte log_level read, and a 4-byte memcpy of the trailing com field. A short message with non-zero length fields causes the variable-length reads to walk past the end of msg->databuffer. Add bounds checks after each length is parsed; on failure return without further processing (req is on the stack, no allocation cleanup required).
This was referenced May 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Same shape as #861, applied to the parallel SET_LOG_LEVEL V2 handler.
dlt_daemon_control_set_log_level_v2validates only the 11-byte fixedportion of the SET_LOG_LEVEL V2 request before reading two attacker-
controlled
uint8_tlength fields (apidlen,ctidlen) and usingthem to advance a buffer offset. A short message with non-zero length
fields causes
dlt_set_id_v2(), the trailing 1-bytelog_levelread,and the final 4-byte
memcpy()of thecomfield to read past theend of
msg->databuffer. Reachable from any client that can talk tothe daemon's control socket. Bounded OOB read; no OOB write.
Fix
Two bounds checks:
apidlenis parsed, verify the message containsapidlen + 1more bytes (apid + the upcomingctidlenbyte).ctidlenis parsed, verify the message containsctidlen + 1 + DLT_ID_SIZEmore bytes (ctid + log_level + com).Unlike
dlt_daemon_control_get_log_info_v2in #861, the request structhere lives on the stack, so no allocation cleanup is required on the
early returns.
Notes
in either order.
function: at lines 3719/3721 the local
apid/ctidpointers(declared NULL at 3687/3688) are passed to
dlt_set_id_v2()whilestill NULL, so the call is a no-op, yet line 3723 (and later
branches) dereferences them:
apid[apid_length - 1]. This NULL-derefs whenever
apid_length != 0. Looks like the intent wasapid = req.apid;(pointer assignment). Filing separately sinceit's an orthogonal bug class.