jeans/Tasmota
jeans/Tasmota
1
0
Fork 0
mirror of https://github.com/arendst/Tasmota.git synced 2025-07-25 11:46:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix possible buffer overflow

Browse Source
This commit is contained in:
Theo Arends 2023-07-12 12:45:02 +02:00
parent 5b6a25a7a0
commit 9638beacec
1 changed files with 18 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
tasmota/tasmota_support/settings.ino
View File

@ -474,7 +474,9 @@ uint32_t SettingsConfigBackup(void) {
if (XdrvCallDriver(i, FUNC_RESTORE_SETTINGS)) { // Enabled driver if (XdrvCallDriver(i, FUNC_RESTORE_SETTINGS)) { // Enabled driver
// Use most relevant config data which might not have been saved to file // Use most relevant config data which might not have been saved to file
// AddLog(LOG_LEVEL_DEBUG, PSTR("CFG: Backup driver %d"), i); // AddLog(LOG_LEVEL_DEBUG, PSTR("CFG: Backup driver %d"), i);
memcpy(filebuf_ptr, (uint8_t*)XdrvMailbox.data, fsize); uint32_t data_size = fsize; // Fix possible buffer overflow
if (data_size > XdrvMailbox.index) { data_size = XdrvMailbox.index; }
memcpy(filebuf_ptr, (uint8_t*)XdrvMailbox.data, data_size);
cfg_crc32 = GetCfgCrc32(filebuf_ptr +4, fsize -4); // Calculate crc (again) as it might be wrong when savedata = 0 (#3918) cfg_crc32 = GetCfgCrc32(filebuf_ptr +4, fsize -4); // Calculate crc (again) as it might be wrong when savedata = 0 (#3918)
filebuf_ptr[0] = cfg_crc32; filebuf_ptr[0] = cfg_crc32;
filebuf_ptr[1] = cfg_crc32 >> 8; filebuf_ptr[1] = cfg_crc32 >> 8;
@ -564,10 +566,9 @@ bool SettingsConfigRestore(void) {
// Restore live config data which will be saved to file before restart // Restore live config data which will be saved to file before restart
// AddLog(LOG_LEVEL_DEBUG, PSTR("CFG: Restore driver %d"), driver); // AddLog(LOG_LEVEL_DEBUG, PSTR("CFG: Restore driver %d"), driver);
filebuf_ptr[1]++; // Force invalid crc32 to enable auto upgrade after restart filebuf_ptr[1]++; // Force invalid crc32 to enable auto upgrade after restart
if (fsize > XdrvMailbox.index) { uint32_t data_size = fsize; // Fix possible buffer overflow
fsize = XdrvMailbox.index; if (data_size > XdrvMailbox.index) { data_size = XdrvMailbox.index; }
} memcpy((uint8_t*)XdrvMailbox.data, filebuf_ptr, data_size); // Restore version and auto upgrade after restart
memcpy((uint8_t*)XdrvMailbox.data, filebuf_ptr, fsize); // Restore version and auto upgrade after restart
} else { } else {
// As driver is not active just copy file // As driver is not active just copy file
// AddLog(LOG_LEVEL_DEBUG, PSTR("CFG: Restore file %s (%d)"), (char*)filebuf_ptr -16, fsize); // AddLog(LOG_LEVEL_DEBUG, PSTR("CFG: Restore file %s (%d)"), (char*)filebuf_ptr -16, fsize);