diff options
| author | Andre Hartmann <aha_1980@gmx.de> | 2021-06-23 14:33:07 +0200 |
|---|---|---|
| committer | André Hartmann <aha_1980@gmx.de> | 2021-07-19 10:51:12 +0000 |
| commit | 8eaa91e1edd7a2b5849a18487a08c440b2b7a27a (patch) | |
| tree | be9517e0e1ffd9989f354800da72fac27405f66f /src/plugins/canbus/peakcan | |
| parent | 35f4b6585eaf53777cce7e1419d422a000ff06dd (diff) | |
CAN: Fix overreading QByteArray buffer
The old code did not take the size of the payload
QByteArray into account, so that for small payloads
read accesses outside the QByteArray data field
occurred.
While this should be no big problem in reality,
memory checkers like Address Sanitizer will report
such issues.
We now only copy the bytes the payload QByteArray
really provides. We can do this, as every derived
QCanBusDevice::writeFrame() method already does a
QCanBusFrame::isValid() check before enqueuing the
outgoing frames, so that the maximum length of the
payload field is always guaranteed, for CAN 2.0
as well as CAN FD.
[ChangeLog][CAN] Fixed potential read buffer
overflows when sending CAN frames in diverse CAN
backends which were detected by Address Sanitizer.
Pick-to: 6.2
Fixes: QTBUG-94695
Change-Id: I2e45f6c14ae0fe88ba83f52dd5db4ffe24dada58
Reviewed-by: Alex Blasche <alexander.blasche@qt.io>
Diffstat (limited to 'src/plugins/canbus/peakcan')
| -rw-r--r-- | src/plugins/canbus/peakcan/peakcanbackend.cpp | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/src/plugins/canbus/peakcan/peakcanbackend.cpp b/src/plugins/canbus/peakcan/peakcanbackend.cpp index 3b5ca6c..45d8023 100644 --- a/src/plugins/canbus/peakcan/peakcanbackend.cpp +++ b/src/plugins/canbus/peakcan/peakcanbackend.cpp @@ -635,13 +635,13 @@ void PeakCanBackendPrivate::startWrite() const QCanBusFrame frame = q->dequeueOutgoingFrame(); const QByteArray payload = frame.payload(); + const qsizetype payloadSize = payload.size(); TPCANStatus st = PCAN_ERROR_OK; if (isFlexibleDatarateEnabled) { - const int size = payload.size(); TPCANMsgFD message = {}; message.ID = frame.frameId(); - message.DLC = sizeToDlc(size); + message.DLC = sizeToDlc(payloadSize); message.MSGTYPE = frame.hasExtendedFrameFormat() ? PCAN_MESSAGE_EXTENDED : PCAN_MESSAGE_STANDARD; @@ -653,7 +653,7 @@ void PeakCanBackendPrivate::startWrite() if (frame.frameType() == QCanBusFrame::RemoteRequestFrame) message.MSGTYPE |= PCAN_MESSAGE_RTR; // we do not care about the payload else - ::memcpy(message.DATA, payload.constData(), sizeof(message.DATA)); + ::memcpy(message.DATA, payload.constData(), payloadSize); st = ::CAN_WriteFD(channelIndex, &message); } else if (frame.hasFlexibleDataRateFormat()) { const char errorString[] = "Cannot send CAN FD frame format as CAN FD is not enabled."; @@ -662,14 +662,14 @@ void PeakCanBackendPrivate::startWrite() } else { TPCANMsg message = {}; message.ID = frame.frameId(); - message.LEN = static_cast<quint8>(payload.size()); + message.LEN = static_cast<quint8>(payloadSize); message.MSGTYPE = frame.hasExtendedFrameFormat() ? PCAN_MESSAGE_EXTENDED : PCAN_MESSAGE_STANDARD; if (frame.frameType() == QCanBusFrame::RemoteRequestFrame) message.MSGTYPE |= PCAN_MESSAGE_RTR; // we do not care about the payload else - ::memcpy(message.DATA, payload.constData(), sizeof(message.DATA)); + ::memcpy(message.DATA, payload.constData(), payloadSize); st = ::CAN_Write(channelIndex, &message); } |