Why don't we just std:max() the reserve() on the string and cast c_str() to uint8_t * !? That way we know the array accessin the code won't fumble into uncharted space and we get rid of the unchecked copy into the static memory space?
//.ichael
On Tue, 25 Mar 2025 at 16:38, Michael Balzer via OvmsDev <ovmsdev@lists.openvehicles.com> wrote:
Wayne,
uh, yes, that's a typical buffer overflow pattern there, unguarded
copying of a string contents to a fixed size buffer:
> static uint8_t buf[MAX_POLL_DATA_LEN];
> memcpy(buf, rxbuf.c_str(), rxbuf.size());
Not sure why/if the handlers need an uint8_t array in the first place,
but a quick first fix should be to adjust MAX_POLL_DATA_LEN:
> #define MAX_POLL_DATA_LEN 196
Add some spare room to the 329 bytes needed, just in case.
Regards,
Michael
Am 25.03.25 um 09:31 schrieb Wayne Love:
> Hi Micheal,
>
> Your comment...
>
>> Regarding Leaf CAN problems there ist a running investigation here:
>> https://github.com/openvehicles/Open-Vehicle-Monitoring-System-3/issues/980
>
> Is dead on the money.
>
> Polling group 61 returns an abnormally large response, 329 bytes.
> This causes a buffer overrun in
> OvmsVehicleNissanLeaf::IncomingPollReply with an unguarded memcpy that
> causes the module to crash. Once the module crashes, I get the exact
> symptoms in issue 980.
>
> Appreciate your help with this.
>
> Thanks
> Wayne
>
>
>
--
Michael Balzer * Am Rahmen 5 * D-58313 Herdecke
Fon 02330 9104094 * Handy 0176 20698926
_______________________________________________
OvmsDev mailing list
OvmsDev@lists.openvehicles.com
http://lists.openvehicles.com/mailman/listinfo/ovmsdev
_______________________________________________ OvmsDev mailing list OvmsDev@lists.openvehicles.com http://lists.openvehicles.com/mailman/listinfo/ovmsdev
-- Michael Balzer * Am Rahmen 5 * D-58313 Herdecke Fon 02330 9104094 * Handy 0176 20698926