daemon: parse incrementally in dlt_daemon_control_set_trace_status_v2 (V2 control-handler family, ref #866)#869
Open
SoundMatt wants to merge 1 commit into
Conversation
Rewrite the handler to parse the GET request field-by-field instead of casting msg->databuffer directly to DltServiceSetLogLevelV2 *. The struct has char *apid / char *ctid pointer fields, so a direct cast filled them with attacker-controlled values from network input that were then dereferenced — and the old code also hit the same NULL-deref pattern as COVESA#863. Add bounds checks for the two attacker-controlled length fields so the variable-length reads stay within msg->databuffer. Copy the apid/ctid into local fixed-size buffers through the shared dlt_set_id_v2() helper and point apid/ctid at those buffers, keeping id initialisation inside the helper API rather than aliasing the receive buffer (consistent with COVESA#864/COVESA#868/COVESA#861). Related: COVESA#866. Signed-off-by: Matt Jones <47545907+SoundMatt@users.noreply.github.com>
Author
|
Proactively aligned this with the rest of the V2 control-handler family (#864/#868/#861): apid/ctid are now copied into local |
4eff1d9 to
ce9bdd5
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
dlt_daemon_control_set_trace_status_v2was the most severe of theV2 control-handler bugs documented in #866 — it cast
msg->databufferdirectly to
DltServiceSetLogLevelV2 *:DltServiceSetLogLevelV2containschar *apidandchar *ctidpointer fields. Under the direct cast, those fields were filled with
8 bytes of network input each (interpreted as pointer values), then
dereferenced by
dlt_set_id_v2. Arbitrary memory read from networkinput. The daemon either crashed (most pointers invalid) or read
from an attacker-chosen address.
Plus two compounding bugs:
apid/ctiddeclared NULL, never reassigned, dereferenced at
apid[apid_length - 1]etc.(int8_t)cast onuint8_tapidlen / ctidlen produced a negativevalue for lengths > 127, leading to a negative array-index
underflow at the same dereference points.
Reachable from any client able to send control messages (dispatched
from
dlt_daemon_handle_control_messages_v2, line 1278).Fix
Replace the struct cast with incremental parsing, mirroring the
surgical approach already taken for
set_log_level_v2in #864:memcpyinto a local primitive.apid/ctidintomsg->databufferonly when theircorresponding length is non-zero.
(int8_t)casts onapid_length/ctid_length.Notes
dlt_daemon_find_multiple_context_and_send_trace_status_v2,dlt_daemon_send_trace_status_v2) still takeint8_tlengthparameters. That narrowing remains a separate latent issue — a
caller passing
apidlen > 127(legal in the wire protocol'suint8_trange) still gets a sign-flipped length passeddownstream. Called out in a code comment; out of scope for this
PR. Will follow up if maintainers want.
only" / "exact match" branches) — only the parsing and the local
variable widths changed.
size constant
DLT_SERVICE_SET_LOG_LEVEL_FIXED_SIZE_V2 = 11. Havenot added a regression test.
Related: #866 (META — V2 control-handler systemic problem).
Mirrors: #864 (same surgical approach for
set_log_level_v2).