Fix MAVLink message bounds validation vulnerabilities#14067
Merged
DonLakeFlyer merged 1 commit intomasterfrom Mar 6, 2026
Merged
Fix MAVLink message bounds validation vulnerabilities#14067DonLakeFlyer merged 1 commit intomasterfrom
DonLakeFlyer merged 1 commit intomasterfrom
Conversation
Contributor
Build ResultsPlatform Status
All builds passed. Pre-commit
Pre-commit hooks: 32 passed, 78 failed, 10 skipped. Test Resultslinux-sanitizers: 52 passed, 0 skipped linux_gcc_64: 52 passed, 0 skipped Total: 104 passed, 0 skipped Code CoverageCoverage: N/A No baseline available for comparison Artifact Sizes
No baseline available for comparison Updated: 2026-03-06 04:23:26 UTC • Triggered by: MacOS |
| _imageHandshake = {}; | ||
| break; | ||
| } | ||
| if (_imageHandshake.payload > sizeof(mavlink_encapsulated_data_t::data)) { |
There was a problem hiding this comment.
sizeof(mavlink_encapsulated_data_t::data) is not valid C++ for a non-static member; this will fail to compile. Use sizeof(encapsulatedData.data) (or an equivalent sizeof(((mavlink_encapsulated_data_t*)nullptr)->data)) to compare against the ENCAPSULATED_DATA data array size.
Suggested change
| if (_imageHandshake.payload > sizeof(mavlink_encapsulated_data_t::data)) { | |
| if (_imageHandshake.payload > sizeof(((mavlink_encapsulated_data_t*)nullptr)->data)) { |
| break; | ||
| } | ||
|
|
||
| _imageBytes.resize(_imageHandshake.size, '\0'); |
There was a problem hiding this comment.
QByteArray::resize only takes a single size argument; resize(_imageHandshake.size, '\0') will not compile. If you want the buffer zero-initialized, use fill('\0', _imageHandshake.size) or assign a QByteArray(_imageHandshake.size, '\0') after the validation checks.
Suggested change
| _imageBytes.resize(_imageHandshake.size, '\0'); | |
| _imageBytes.fill('\0', _imageHandshake.size); |
Harden MAVLink message handlers against malicious or malformed payloads that could trigger out-of-bounds memory access. ImageProtocolManager (GHSA-v5rc-wh3c-c4cw): - Validate DATA_TRANSMISSION_HANDSHAKE fields (size, payload, packets) before allocating the image buffer - Enforce 1 MB upper bound on image size - Reject payload values exceeding ENCAPSULATED_DATA data[253] array size - Pre-allocate image buffer to declared size instead of growing via unchecked indexed writes - Replace byte-by-byte copy loop with bounds-clamped memcpy - Cast seqnr to uint32_t before multiplication to prevent overflow Vehicle (LOG_DATA): - Add bounds check on log.count against sizeof(log.data) before emitting the signal, preventing downstream consumers from reading past the 90-byte data array FTPManager (FILE_TRANSFER_PROTOCOL): - Validate hdr.size against sizeof(request->data) at the single message entry point, protecting all downstream handlers (burst read, list directory, fill missing blocks) from reading past the 239-byte data array Fixes: GHSA-v5rc-wh3c-c4cw
DonLakeFlyer
force-pushed
the
fix/mavlink-message-bounds-validation
branch
from
bae5113 to
d478b64
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Harden MAVLink message handlers against malicious or malformed payloads that could trigger out-of-bounds memory access.
Fixes https://github.com/mavlink/qgroundcontrol/security/advisories/GHSA-v5rc-wh3c-c4cw
ImageProtocolManager (
GHSA-v5rc-wh3c-c4cw)DATA_TRANSMISSION_HANDSHAKEfields (size,payload,packets) before allocating the image bufferpayloadvalues exceedingENCAPSULATED_DATAdata[253]array sizememcpyseqnrtouint32_tbefore multiplication to prevent overflowVehicle (
LOG_DATA)log.countagainstsizeof(log.data)before emitting the signal, preventing downstream consumers from reading past the 90-byte data arrayFTPManager (
FILE_TRANSFER_PROTOCOL)hdr.sizeagainstsizeof(request->data)at the single message entry point, protecting all downstream handlers (burst read, list directory, fill missing blocks) from reading past the 239-byte data array