Why don't we just std:max() the  reserve() on the string and cast c_str() to uint8_t * !?  That way we know the array access 
in the code won't fumble into uncharted space and we get rid of the unchecked copy into the static memory space? 

//.ichael

On Tue, 25 Mar 2025 at 16:38, Michael Balzer via OvmsDev <ovmsdev@lists.openvehicles.com> wrote:
Wayne,

uh, yes, that's a typical buffer overflow pattern there, unguarded
copying of a string contents to a fixed size buffer:

>   static uint8_t buf[MAX_POLL_DATA_LEN];
>   memcpy(buf, rxbuf.c_str(), rxbuf.size());

Not sure why/if the handlers need an uint8_t array in the first place,
but a quick first fix should be to adjust MAX_POLL_DATA_LEN:

> #define MAX_POLL_DATA_LEN         196

Add some spare room to the 329 bytes needed, just in case.

Regards,
Michael


Am 25.03.25 um 09:31 schrieb Wayne Love:
> Hi Micheal,
>
> Your comment...
>
>> Regarding Leaf CAN problems there ist a running investigation here:
>> https://github.com/openvehicles/Open-Vehicle-Monitoring-System-3/issues/980
>
> Is dead on the money.
>
> Polling group 61 returns an abnormally large response, 329 bytes. 
> This causes a buffer overrun in
> OvmsVehicleNissanLeaf::IncomingPollReply with an unguarded memcpy that
> causes the module to crash.  Once the module crashes, I get the exact
> symptoms in issue 980.
>
> Appreciate your help with this.
>
> Thanks
> Wayne
>
>
>

--
Michael Balzer * Am Rahmen 5 * D-58313 Herdecke
Fon 02330 9104094 * Handy 0176 20698926

_______________________________________________
OvmsDev mailing list
OvmsDev@lists.openvehicles.com
http://lists.openvehicles.com/mailman/listinfo/ovmsdev