Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ocp: telemetry parser buffer overflow for events exceeding 32 dwords #2686

Open
NateThornton opened this issue Jan 31, 2025 · 0 comments
Open

ocp: telemetry parser buffer overflow for events exceeding 32 dwords #2686

NateThornton opened this issue Jan 31, 2025 · 0 comments

Comments

@NateThornton
Copy link
Contributor

NateThornton commented Jan 31, 2025
edited
Loading

Buffer overflow encountered when parsing OCP telemetry data

void print_formatted_var_size_str(const char *msg, const __u8 *pdata, size_t data_size, FILE *fp)
{
	char description_str[256] = "";
	char temp_buffer[3] = { 0 };

	for (size_t i = 0; i < data_size; ++i) {
		sprintf(temp_buffer, "%02X", pdata[i]);
		strcat(description_str, temp_buffer);
	}

	if (fp)
		fprintf(fp, "%s: %s\n", msg, description_str);
	else
		printf("%s: %s\n", msg, description_str);
}

The fixed 256-byte description_str will overflow for any reasonably sized data_size >= 128.

Max data_size is for OCP VU Event Data is 0xFF Dwords, so the buffer should be at least 1020 bytes + 1 for null. 1024 seems like a nice number for OCP.

But this method was added to utils.c in e9c2e8f and any caller could overflow this buffer. While making it larger for the current ocp-telemetry-decode.c use cases one should also prevent buffer overflows for all users.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@NateThornton