Potential stack-based buffer overflow in KM_901U_Service

Hi,

The function `KM_901U_Service` uses a buffer of 32 bytes to copy received messages:
https://github.com/EBiCS/EBiCS_Firmware/blob/18b9437c088ac56e46872d28780e4cd06a264531/Src/display_kingmeter.c#L370

However, the length of `KM_ctx->RxBuff` is 64 bytes:
https://github.com/EBiCS/EBiCS_Firmware/blob/18b9437c088ac56e46872d28780e4cd06a264531/Inc/display_kingmeter.h#L157

and the maximum length for DMA transfers is also 64 bytes:
https://github.com/EBiCS/EBiCS_Firmware/blob/18b9437c088ac56e46872d28780e4cd06a264531/Src/display_kingmeter.c#L200-L216

This means that copying into `KM_Message` may overflow:
https://github.com/EBiCS/EBiCS_Firmware/blob/18b9437c088ac56e46872d28780e4cd06a264531/Src/display_kingmeter.c#L374-L388

In my case, the `memcpy` corrupts `htim3->Instance` and later causes a data abort exception in `TIM3_IRQHandler`.

Therefore, I believe the length of `KM_Message` should be set to 64 bytes to address the above issue:
```
diff --git a/Src/display_kingmeter.c b/Src/display_kingmeter.c
index 7cbca45..6e5b154 100644
--- a/Src/display_kingmeter.c
+++ b/Src/display_kingmeter.c
@@ -367,7 +367,7 @@ static void KM_901U_Service(KINGMETER_t* KM_ctx)
 
     static uint8_t  TxCnt;
     static uint8_t  Rx_message_length;
-    static uint8_t  KM_Message[32];
+    static uint8_t  KM_Message[64];
 
     recent_pointer_position = 64-DMA1_Channel5->CNDTR;
 
```

Looking for your reply!

	#if (DISPLAY_TYPE == DISPLAY_TYPE_KINGMETER_618U)
	//Start UART with DMA
	if (HAL_UART_Receive_DMA(&huart1, (uint8_t *)KM_ctx->RxBuff, KM_MAX_RXBUFF) != HAL_OK)
	{
	Error_Handler();
	}
	#endif

	#if (DISPLAY_TYPE == DISPLAY_TYPE_KINGMETER_901U\|\| DISPLAY_TYPE & DISPLAY_TYPE_DEBUG)
	//Start UART with DMA
	if (HAL_UART_Receive_DMA(&huart1, (uint8_t *)KM_ctx->RxBuff, 64) != HAL_OK)
	{
	Error_Handler();
	}
	#endif
	// HAL_UART_Transmit_DMA(&huart1, (uint8_t *)&buffer, KM_MAX_RXBUFF);
	}

	if(recent_pointer_position>last_pointer_position){
	Rx_message_length=recent_pointer_position-last_pointer_position;
	//printf_("groesser %d, %d, %d \n ",recent_pointer_position,last_pointer_position, Rx_message_length);
	//HAL_GPIO_WritePin(LED_GPIO_Port, LED_Pin, GPIO_PIN_SET);
	memcpy(KM_Message,KM_ctx->RxBuff+last_pointer_position,Rx_message_length);
	//HAL_UART_Transmit(&huart3, (uint8_t *)&KM_Message, Rx_message_length,50);
	}
	else {
	Rx_message_length=recent_pointer_position+64-last_pointer_position;
	memcpy(KM_Message,KM_ctx->RxBuff+last_pointer_position,64-last_pointer_position);
	memcpy(KM_Message+64-last_pointer_position,KM_ctx->RxBuff,recent_pointer_position);
	// HAL_GPIO_WritePin(LED_GPIO_Port, LED_Pin, GPIO_PIN_RESET);


	}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Potential stack-based buffer overflow in KM_901U_Service #73

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Potential stack-based buffer overflow in KM_901U_Service #73

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions