fix: add VerifyCmdLength before SEND_HK_MID cast in EVS and ES dispatch#2755
Open
stark256-spec wants to merge 1 commit into
Open
fix: add VerifyCmdLength before SEND_HK_MID cast in EVS and ES dispatch#2755stark256-spec wants to merge 1 commit into
stark256-spec wants to merge 1 commit into
Conversation
CFE_EVS_ProcessCommandPacket() and CFE_ES_TaskPipe() both cast the SB buffer directly to *SendHkCmd_t without calling VerifyCmdLength first. Every other command code in ProcessGroundCommand/ProcessGroundCmd is guarded by a VerifyCmdLength check before the cast. A truncated or malformed SEND_HK_MID packet silently bypasses validation and causes an OOB read when the handler accesses struct fields beyond the actual packet boundary. Add the missing VerifyCmdLength guard in both dispatch functions, matching the existing pattern used for all ground commands. Fixes nasa/cFS#987 (EVS) Fixes nasa/cFS#986 (ES)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes nasa/cFS#987 (EVS) and nasa/cFS#986 (ES).
Both
CFE_EVS_ProcessCommandPacket()andCFE_ES_TaskPipe()cast the SB buffer directly to*SendHkCmd_twithout callingVerifyCmdLengthfirst. Every other command code in the respectiveProcessGroundCommand/ProcessGroundCmdswitches is guarded byVerifyCmdLengthbefore the cast. A truncatedSEND_HK_MIDpacket silently bypasses validation and causes an OOB struct-field read.Adds the missing
VerifyCmdLengthguard in both dispatch functions, matching the existing pattern for all ground commands.