TinyFrame icon indicating copy to clipboard operation
TinyFrame copied to clipboard
verified publisher icon MightyPork

TF_CKSUM_NONE can lead to memory corruption if RX message too large

Open belchercw opened this issue 3 years ago • 2 comments

When checksum is set to TF_CKSUM_NONE, there is no validation of the incoming message length, and a message that is too large will overflow the RX buffer, causing memory corruption.

belchercw avatar Nov 02 '22 19:11 belchercw

You're right, thanks for the report. I don't currently use the library in any project, but I will merge a pull request for this.

Can you try & verify if the fix works right?

I think it's just about moving the length check https://github.com/MightyPork/TinyFrame/blob/master/TinyFrame.c#L671 directly into the TFState_LEN case: https://github.com/MightyPork/TinyFrame/blob/master/TinyFrame.c#L623

MightyPork avatar Nov 02 '22 19:11 MightyPork

Wow - fast response. I've already fixed my issue that triggered this in the first place (I meant to be using CRC16), so its a little tricky for me to get things back into the failing case, but your proposed fix is exactly what I was thinking as well. Sounds valid to me!

belchercw avatar Nov 02 '22 20:11 belchercw