Skip to content

Commit

Permalink
Fix potential buffer overflow in exc_FOEread/write
Browse files Browse the repository at this point in the history
An excessively long filename could overflow the mailbox buffer. Fix by
limiting the filename size to EC_MAXFOEDATA.

Problem found and fix proposed by m1etz.
  • Loading branch information
hefloryd committed Apr 4, 2024
1 parent d478bce commit 83c6264
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions soem/ethercatfoe.c
Original file line number Diff line number Diff line change
Expand Up @@ -87,6 +87,10 @@ int ecx_FOEread(ecx_contextt *context, uint16 slave, char *filename, uint32 pass
aFOEp = (ec_FOEt *)&MbxIn;
FOEp = (ec_FOEt *)&MbxOut;
fnsize = (uint16)strlen(filename);
if (fnsize > EC_MAXFOEDATA)
{
fnsize = EC_MAXFOEDATA;
}
maxdata = context->slavelist[slave].mbx_l - 12;
if (fnsize > maxdata)
{
Expand Down Expand Up @@ -216,6 +220,10 @@ int ecx_FOEwrite(ecx_contextt *context, uint16 slave, char *filename, uint32 pas
FOEp = (ec_FOEt *)&MbxOut;
dofinalzero = TRUE;
fnsize = (uint16)strlen(filename);
if (fnsize > EC_MAXFOEDATA)
{
fnsize = EC_MAXFOEDATA;
}
maxdata = context->slavelist[slave].mbx_l - 12;
if (fnsize > maxdata)
{
Expand Down

0 comments on commit 83c6264

Please # to comment.