Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

TF_CKSUM_NONE can lead to memory corruption if RX message too large #27

Open
belchercw opened this issue Nov 2, 2022 · 2 comments
Open

TF_CKSUM_NONE can lead to memory corruption if RX message too large #27

belchercw opened this issue Nov 2, 2022 · 2 comments

Comments

@belchercw
Copy link

When checksum is set to TF_CKSUM_NONE, there is no validation of the incoming message length, and a message that is too large will overflow the RX buffer, causing memory corruption.
@MightyPork
Copy link
Owner

You're right, thanks for the report. I don't currently use the library in any project, but I will merge a pull request for this.

Can you try & verify if the fix works right?

I think it's just about moving the length check https://github.com/MightyPork/TinyFrame/blob/master/TinyFrame.c#L671 directly into the TFState_LEN case: https://github.com/MightyPork/TinyFrame/blob/master/TinyFrame.c#L623

@belchercw
Copy link
Author

Wow - fast response. I've already fixed my issue that triggered this in the first place (I meant to be using CRC16), so its a little tricky for me to get things back into the failing case, but your proposed fix is exactly what I was thinking as well. Sounds valid to me!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MightyPork @belchercw