fix: guard against NULL data_ptr in CF_CFDP_CopyStringFromLV#501
Open
stark256-spec wants to merge 1 commit into
Open
fix: guard against NULL data_ptr in CF_CFDP_CopyStringFromLV#501stark256-spec wants to merge 1 commit into
stark256-spec wants to merge 1 commit into
Conversation
CF_CFDP_DoDecodeChunk() sets data_ptr to NULL when the attacker-supplied LV length field exceeds the remaining PDU bytes. Without an explicit NULL check, CF_CFDP_CopyStringFromLV() passes NULL directly to memcpy(), which is undefined behaviour and causes a NULL-pointer dereference on most platforms (crash / denial of service via crafted CFDP Metadata PDU). Add a data_ptr != NULL guard before the memcpy so the function returns CF_ERROR consistently whether the decode ran out of PDU data (NULL ptr) or the string was longer than the destination buffer. Fixes: nasa#491
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
CF_CFDP_DoDecodeChunk()returnsNULLwhen the attacker-supplied LVlengthfield in a CFDP Metadata PDU exceeds the remaining bytes in the receive buffer (it also marks the codec state as DONE). Without a correspondingNULLcheck inCF_CFDP_CopyStringFromLV(), thememcpy(buf, src_lv->data_ptr, ...)call receives aNULLsource pointer — undefined behaviour that causes a NULL-pointer dereference (crash / denial-of-service) on most platforms when a crafted Metadata PDU is received.Fixes #491.
Root cause
Fix
Add
src_lv->data_ptr != NULLto the existing guard — one line, no signature changes:CF_CFDP_CopyStringFromLV()now returnsCF_ERRORconsistently whether the PDU ran out of data (NULL ptr from decode) or the string would overflow the destination buffer.Note:
CF_CFDP_RecvMd()already checksCF_CODEC_IS_OK()before calling this function, which catches the malformed PDU at the Metadata level. This fix adds a defence-in-depth guard at the function level.