Describe the bug
The 3rd argument to CFE_MSG_Init() indicates the actual/real size of the structure that should be initialized. All of the operations that deal with a primary header assume it must be at least this size, and write to the primary header.
However, CFE_MSG_Init() does not confirm that the size is at least the minimum required. It will still write fields (e.g. MsgID) into the primary header, even if the size passed in is 0.
To Reproduce
Call default CFE_MSG_Init() with size specified as 0. The MsgID is still written into the primary header.
This is basically a buffer overflow, as the function wrote to memory that was beyond the end of the buffer.
Expected behavior
The function should never write beyond the end of the buffer. Passing a size of 0 should not initialize/write anything because there is no buffer to write to.
Code snips
Implementation of CFE_MSG_Init - note this proceeds to "InitDefaultHdr" regardless of size.
|
CFE_Status_t CFE_MSG_Init(CFE_MSG_Message_t *MsgPtr, CFE_SB_MsgId_t MsgId, CFE_MSG_Size_t Size) |
|
{ |
|
int32 status; |
|
|
|
if (MsgPtr == NULL) |
|
{ |
|
return CFE_MSG_BAD_ARGUMENT; |
|
} |
|
|
|
/* Clear and set defaults */ |
|
memset(MsgPtr, 0, Size); |
|
CFE_MSG_InitDefaultHdr(MsgPtr); |
System observed on:
Debian
Additional context
Related issue in CF that was relying on this bug -- this is being fixed in nasa/CF#401
Reporter Info
Joseph Hickey, Vantage Systems, Inc.
Describe the bug
The 3rd argument to
CFE_MSG_Init()indicates the actual/real size of the structure that should be initialized. All of the operations that deal with a primary header assume it must be at least this size, and write to the primary header.However, CFE_MSG_Init() does not confirm that the size is at least the minimum required. It will still write fields (e.g. MsgID) into the primary header, even if the size passed in is 0.
To Reproduce
Call default
CFE_MSG_Init()with size specified as 0. The MsgID is still written into the primary header.This is basically a buffer overflow, as the function wrote to memory that was beyond the end of the buffer.
Expected behavior
The function should never write beyond the end of the buffer. Passing a size of 0 should not initialize/write anything because there is no buffer to write to.
Code snips
Implementation of CFE_MSG_Init - note this proceeds to "InitDefaultHdr" regardless of size.
cFE/modules/msg/fsw/src/cfe_msg_init.c
Lines 34 to 45 in a8b20ac
System observed on:
Debian
Additional context
Related issue in CF that was relying on this bug -- this is being fixed in nasa/CF#401
Reporter Info
Joseph Hickey, Vantage Systems, Inc.