fix: clamp PktLen in CFE_MSG_ComputeCheckSum to MAX_SB_MSG_SIZE#2756
Open
stark256-spec wants to merge 1 commit into
Open
fix: clamp PktLen in CFE_MSG_ComputeCheckSum to MAX_SB_MSG_SIZE#2756stark256-spec wants to merge 1 commit into
stark256-spec wants to merge 1 commit into
Conversation
CFE_MSG_GetSize() reads the loop bound directly from the attacker- controlled CCSDS Length field. Without an upper-bound check the while(PktLen--) loop iterates over PktLen bytes regardless of the actual allocated buffer, enabling an OOB heap read proportional to the difference between the claimed and actual message size. Clamp PktLen to CFE_MISSION_SB_MAX_SB_MSG_SIZE (the largest valid SB message) before entering the loop. A larger value indicates a malformed message and is treated as zero (returns 0xFF checksum), which will fail the subsequent validity check in the caller. Fixes nasa/cFS#2699
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes nasa/cFS#2699.
CFE_MSG_GetSize()reads the loop bound from the attacker-controlled CCSDS Length field. Without an upper-bound check,while(PktLen--)iterates over an attacker-chosen number of bytes regardless of the actual buffer, enabling an OOB heap read. Clamps PktLen toCFE_MISSION_SB_MAX_SB_MSG_SIZEbefore the loop; a larger value indicates a malformed message and is treated as zero.