[Ovmsdev] Leaf AZE1 Can1 stuck after poll 7BB group 61
Michael Balzer
dexter at expeedo.de
Tue Mar 25 16:38:29 HKT 2025
Wayne,
uh, yes, that's a typical buffer overflow pattern there, unguarded
copying of a string contents to a fixed size buffer:
> static uint8_t buf[MAX_POLL_DATA_LEN];
> memcpy(buf, rxbuf.c_str(), rxbuf.size());
Not sure why/if the handlers need an uint8_t array in the first place,
but a quick first fix should be to adjust MAX_POLL_DATA_LEN:
> #define MAX_POLL_DATA_LEN 196
Add some spare room to the 329 bytes needed, just in case.
Regards,
Michael
Am 25.03.25 um 09:31 schrieb Wayne Love:
> Hi Micheal,
>
> Your comment...
>
>> Regarding Leaf CAN problems there ist a running investigation here:
>> https://github.com/openvehicles/Open-Vehicle-Monitoring-System-3/issues/980
>
> Is dead on the money.
>
> Polling group 61 returns an abnormally large response, 329 bytes.
> This causes a buffer overrun in
> OvmsVehicleNissanLeaf::IncomingPollReply with an unguarded memcpy that
> causes the module to crash. Once the module crashes, I get the exact
> symptoms in issue 980.
>
> Appreciate your help with this.
>
> Thanks
> Wayne
>
>
>
--
Michael Balzer * Am Rahmen 5 * D-58313 Herdecke
Fon 02330 9104094 * Handy 0176 20698926
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 203 bytes
Desc: OpenPGP digital signature
URL: <http://lists.openvehicles.com/pipermail/ovmsdev/attachments/20250325/a7c09f06/attachment.sig>
More information about the OvmsDev
mailing list