Integer overflow causes massive OOB writes when INAV firmware handles CRSF_FRAMETYPE_MSP_REQ/CRSF_FRAMETYPE_MSP_WRITE #11209
Description
Current Behavior
// src/main/rx/crsf.c
STATIC_UNIT_TESTED void crsfDataReceive(uint16_t c, void *rxCallbackData)
{
// ...
switch (crsfFrame.frame.type) {
// ...
case CRSF_FRAMETYPE_MSP_REQ:
case CRSF_FRAMETYPE_MSP_WRITE: {
uint8_t *frameStart = (uint8_t *)&crsfFrame.frame.payload + CRSF_FRAME_ORIGIN_DEST_SIZE;
// if frameLength is 3, the subtraction overflows and the result is -1(0xffffffff),
// because the second paramter of bufferCrsfMspFrame is an int
if (bufferCrsfMspFrame(frameStart, crsfFrame.frame.frameLength - 4)) {
crsfScheduleMspResponse(crsfFrame.frame.payload[1]);
}
break;
}
}
}
bool bufferCrsfMspFrame(uint8_t *frameStart, int frameLength)
{
if (mspRxBuffer.len + CRSF_MSP_LENGTH_OFFSET + frameLength > CRSF_MSP_BUFFER_SIZE) {
return false;
} else {
uint8_t *p = mspRxBuffer.bytes + mspRxBuffer.len;
*p++ = frameLength;
// massive overflow since frameLength is treated as an unsigned integer
memcpy(p, frameStart, frameLength);
mspRxBuffer.len += CRSF_MSP_LENGTH_OFFSET + frameLength;
return true;
}
}Steps to Reproduce
- Send a malformed
CRSF_FRAMETYPE_MSP_REQ/CRSF_FRAMETYPE_MSP_WRITE CRSFpacket with frame length set to 3
Expected behavior
The parser should reject the above malformed CRSF packets.
Suggested solution(s)
If crsfFrame.frame.frameLength < 4, the parser should discard the frame.
Additional context
- FC Board name and vendor:
- INAV version string: commit
27479930da676687ff3e8939b1c014d72633f0d4