Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CF invokes CFE_MSG_Init with size of 0 #401

Closed
2 tasks done
jphickey opened this issue Jul 25, 2023 · 0 comments · Fixed by #402
Closed
2 tasks done

CF invokes CFE_MSG_Init with size of 0 #401

jphickey opened this issue Jul 25, 2023 · 0 comments · Fixed by #402
Assignees
@jphickey
Labels
bug
Milestone
Equuleus

Comments

@jphickey
Copy link
Contributor

Checklist (Please check before submitting)

  • I reviewed the Contributing Guide.
  • I performed a cursory search to see if the bug report is relevant, not redundant, nor in conflict with other tickets.

Describe the bug
The 3rd parameter of CFE_MSG_Init() is supposed to indicate the actual size of the structure/buffer being initialized. In general, this must be at least the size of the primary header in order to be valid.

CF (at first) passes this as 0, then overwrites this with the real size later on.

The problem is, a size of 0 is totally invalid, and to be correct, CFE_MSG_Init() should not be writing any values into a structure that is smaller than the size of a primary header, as this is an error. Writing any value into a struct of size 0 is a write-beyond-bounds error, and thus the fact that the default CFE_MSG_Init() even allows this is a bug.

To Reproduce
Run CF with a proper implementation of CFE_MSG_Init() - i.e. one that verifies the size is valid. When passed a size of 0, none of the header fields will be set (correct behavior). This results in the buffer being in an indeterminate state, and the MsgId will not be set.

Expected behavior
The MsgId needs to be set by the call to CFE_MSG_Init

Code snips

CF/fsw/src/cf_cfdp_sbintf.c

Lines 120 to 121 in 38cfee8

CFE_MSG_Init(&CF_AppData.engine.out.msg->Msg,
CFE_SB_ValueToMsgId(CF_AppData.config_table->chan[t->chan_num].mid_output), 0);

Reporter Info
Joseph Hickey, Vantage Systems, Inc.
@jphickey jphickey added the bug label Jul 25, 2023
@jphickey jphickey self-assigned this Jul 25, 2023
jphickey added a commit that referenced this issue Jul 25, 2023
@jphickey
Fix #401, use valid size when calling CFE_MSG_Init
e5fbf9e 
Use the offset of the payload start, which by definition must include at
least enough space for the primary header.  This ensures that the value
will pass any size check enforced in CFE_MSG_Init.
@jphickey jphickey mentioned this issue Jul 25, 2023
Merged
2 tasks
dzbaker added a commit that referenced this issue Jul 27, 2023
@dzbaker
Merge pull request #402 from jphickey/fix-401-size-0
d401933 
Fix #401, use valid size when calling CFE_MSG_Init
@jphickey jphickey mentioned this issue Jul 27, 2023
Open
@chillfig chillfig added this to the Equuleus milestone Sep 1, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jphickey jphickey

Labels
bug
Projects
None yet
Milestone
Equuleus
Development

Successfully merging a pull request may close this issue.

Fix #401, use valid size when calling CFE_MSG_Init jphickey/CF
2 participants
@jphickey @chillfig