diff options
author | Rolf Eike Beer <eb@emlix.com> | 2015-12-10 12:28:04 +0100 |
---|---|---|
committer | Alex Blasche <alexander.blasche@theqtcompany.com> | 2015-12-11 08:48:33 +0000 |
commit | f13aaee1c81f46176b50642e9889f09220a8249a (patch) | |
tree | 247b03bd859a2fdddfb58b04b079779265449d39 /src/plugins/canbus/socketcan/socketcanbackend.cpp | |
parent | 9bfd3e3e3fa8bb05fa1e4609f0b8c52fa8e75f67 (diff) |
QCanBusFrame: make sure not to read beyond end of frame
The header field that defines the payload length can encode more a
greater number than the actual payload array. Make sure not to read
beyond the end of the buffer by simply dropping all frames with an
invalid length.
Change-Id: Ida4433143a6c999ca5b4800505ad189e4e38d72b
Reviewed-by: Alex Blasche <alexander.blasche@theqtcompany.com>
Diffstat (limited to 'src/plugins/canbus/socketcan/socketcanbackend.cpp')
-rw-r--r-- | src/plugins/canbus/socketcan/socketcanbackend.cpp | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/plugins/canbus/socketcan/socketcanbackend.cpp b/src/plugins/canbus/socketcan/socketcanbackend.cpp index a60b8d3..39ca2c9 100644 --- a/src/plugins/canbus/socketcan/socketcanbackend.cpp +++ b/src/plugins/canbus/socketcan/socketcanbackend.cpp @@ -515,6 +515,10 @@ void SocketCanBackend::readSocket() setError(tr("ERROR SocketCanBackend: incomplete can frame"), QCanBusDevice::CanBusError::ReadError); continue; + } else if (frame.len > bytesReceived - offsetof(canfd_frame, data)) { + setError(tr("ERROR SocketCanBackend: invalid can frame length"), + QCanBusDevice::CanBusError::ReadError); + continue; } struct timeval timeStamp; |