QCanBusFrame: make sure not to read beyond end of frame

The header field that defines the payload length can encode more a greater number than the actual payload array. Make sure not to read beyond the end of the buffer by simply dropping all frames with an invalid length. Change-Id: Ida4433143a6c999ca5b4800505ad189e4e38d72b Reviewed-by: Alex Blasche <alexander.blasche@theqtcompany.com>
author: Rolf Eike Beer <eb@emlix.com> 2015-12-10 12:28:04 +0100
committer: Alex Blasche <alexander.blasche@theqtcompany.com> 2015-12-11 08:48:33 +0000
commit: f13aaee1c81f46176b50642e9889f09220a8249a (patch)
tree: 247b03bd859a2fdddfb58b04b079779265449d39 /src/plugins/canbus/socketcan/socketcanbackend.cpp
parent: 9bfd3e3e3fa8bb05fa1e4609f0b8c52fa8e75f67 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/src/plugins/canbus/socketcan/socketcanbackend.cpp b/src/plugins/canbus/socketcan/socketcanbackend.cpp
index a60b8d3..39ca2c9 100644
--- a/src/plugins/canbus/socketcan/socketcanbackend.cpp
+++ b/src/plugins/canbus/socketcan/socketcanbackend.cpp
@@ -515,6 +515,10 @@ void SocketCanBackend::readSocket()
             setError(tr("ERROR SocketCanBackend: incomplete can frame"),
                      QCanBusDevice::CanBusError::ReadError);
             continue;
+        } else if (frame.len > bytesReceived - offsetof(canfd_frame, data)) {
+            setError(tr("ERROR SocketCanBackend: invalid can frame length"),
+                     QCanBusDevice::CanBusError::ReadError);
+            continue;
         }
 
         struct timeval timeStamp;
author	Rolf Eike Beer <eb@emlix.com>	2015-12-10 12:28:04 +0100
committer	Alex Blasche <alexander.blasche@theqtcompany.com>	2015-12-11 08:48:33 +0000
commit	f13aaee1c81f46176b50642e9889f09220a8249a (patch)
tree	247b03bd859a2fdddfb58b04b079779265449d39 /src/plugins/canbus/socketcan/socketcanbackend.cpp
parent	9bfd3e3e3fa8bb05fa1e4609f0b8c52fa8e75f67 (diff)