From 83c6264f9929991bcf2918514114d19efe308e2a Mon Sep 17 00:00:00 2001
From: Hans-Erik Floryd <hans-erik.floryd@rt-labs.com>
Date: Wed, 3 Apr 2024 16:10:31 +0200
Subject: [PATCH] Fix potential buffer overflow in exc_FOEread/write

An excessively long filename could overflow the mailbox buffer. Fix by
limiting the filename size to EC_MAXFOEDATA.

Problem found and fix proposed by m1etz.
---
 soem/ethercatfoe.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/soem/ethercatfoe.c b/soem/ethercatfoe.c
index f0473ba3..6bfccfe4 100644
--- a/soem/ethercatfoe.c
+++ b/soem/ethercatfoe.c
@@ -87,6 +87,10 @@ int ecx_FOEread(ecx_contextt *context, uint16 slave, char *filename, uint32 pass
    aFOEp = (ec_FOEt *)&MbxIn;
    FOEp = (ec_FOEt *)&MbxOut;
    fnsize = (uint16)strlen(filename);
+   if (fnsize > EC_MAXFOEDATA)
+   {
+      fnsize = EC_MAXFOEDATA;
+   }
    maxdata = context->slavelist[slave].mbx_l - 12;
    if (fnsize > maxdata)
    {
@@ -216,6 +220,10 @@ int ecx_FOEwrite(ecx_contextt *context, uint16 slave, char *filename, uint32 pas
    FOEp = (ec_FOEt *)&MbxOut;
    dofinalzero = TRUE;
    fnsize = (uint16)strlen(filename);
+   if (fnsize > EC_MAXFOEDATA)
+   {
+      fnsize = EC_MAXFOEDATA;
+   }
    maxdata = context->slavelist[slave].mbx_l - 12;
    if (fnsize > maxdata)
    {