ARMmbed
/
mbed-os
mirror of https://github.com/ARMmbed/mbed-os.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

CAN: fix length calculation in message constructor 

The two types of the CANMessage constructor accepting a data buffer have two issues. First, they limit the input buffer size to the 4 least significant bits of the passed length even though a CAN message cannot have more than 8 bytes of payload. Second, the used data length in the following memcpy() uses the initially passed data length which may exceed the internal data buffer size. Both will lead into hard to find bugs if the passed data buffer size is outside the limits according to the CAN standard. This fix intends to solve this by limiting the input data size to 8 bytes.
pull/12441/head
daniel-starke 2020-02-14 22:19:55 +01:00
parent 3d038e55ee
commit cb62dcbf83
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
drivers/CAN.h
View File

@ -65,11 +65,11 @@ public:
*/
CANMessage(unsigned int _id, const unsigned char *_data, unsigned char _len = 8, CANType _type = CANData, CANFormat _format = CANStandard)
{
len = _len & 0xF;
len = (_len > 8) ? 8 : _len;
type = _type;
format = _format;
id = _id;
memcpy(data, _data, _len);
memcpy(data, _data, len);
}
@ -83,11 +83,11 @@ public:
*/
CANMessage(unsigned int _id, const char *_data, unsigned char _len = 8, CANType _type = CANData, CANFormat _format = CANStandard)
{
len = _len & 0xF;
len = (_len > 8) ? 8 : _len;
type = _type;
format = _format;
id = _id;
memcpy(data, _data, _len);
memcpy(data, _data, len);
}
/** Creates CAN remote message.