rt-thread icon indicating copy to clipboard operation
rt-thread copied to clipboard
verified publisher icon RT-Thread

rt_can_read memory write out of boundary

Open easy6666 opened this issue 1 year ago • 1 comments

function _can_int_rx in components/drivers/can/can.c

/* read from software FIFO */
while (msgs)
{
    ...
        rt_memcpy(data, &listmsg->data, sizeof(struct rt_can_msg));
    ...
    data ++;
    msgs -= sizeof(struct rt_can_msg);
}

didn't validate the data length and rx_fifo->uselist msgs length while calling _can_int_rx in rt_can_read, if msgs > datalength, it could result in memory write out of boundary.

easy6666 avatar Mar 19 '24 07:03 easy6666

欢迎提交PR~

mysterywolf avatar Mar 19 '24 12:03 mysterywolf

https://github.com/RT-Thread/rt-thread/pull/9149

mysterywolf avatar Jul 09 '24 12:07 mysterywolf