Added several guards and error messages

Try to prevent heap corruptions
2022-07-14 18:54:53 +02:00 · 2022-07-14 18:54:53 +02:00 · 05c478d1f2
commit 05c478d1f2
parent 608456b14d
4 changed files with 24 additions and 1 deletions
--- a/lib/Hoymiles/src/HoymilesRadio.cpp
+++ b/lib/Hoymiles/src/HoymilesRadio.cpp
@ -225,6 +225,11 @@ void HoymilesRadio::sendEsbPacket(serial_u target, uint8_t mainCmd, uint8_t subC
 {
    static uint8_t txBuffer[MAX_RF_PAYLOAD_SIZE];

+    if (10 + currentTransaction.len + 1 > MAX_RF_PAYLOAD_SIZE) {
+        Serial.printf("FATAL: (%s, %d) payload too large\n", __FILE__, __LINE__);
+        return;
+    }
+
    if (!resend) {
        currentTransaction.sendCount = 0;
        currentTransaction.target = target;
--- a/lib/Hoymiles/src/inverters/InverterAbstract.cpp
+++ b/lib/Hoymiles/src/inverters/InverterAbstract.cpp
@ -41,7 +41,7 @@ StatisticsParser* InverterAbstract::Statistics()

 void InverterAbstract::clearRxFragmentBuffer()
 {
-    memset(_rxFragmentBuffer, 0, MAX_RF_FRAGMENT_COUNT * MAX_RF_PAYLOAD_SIZE);
+    memset(_rxFragmentBuffer, 0, MAX_RF_FRAGMENT_COUNT * sizeof(fragment_t));
    _rxFragmentMaxPacketId = 0;
    _rxFragmentLastPacketId = 0;
    _rxFragmentRetransmitCnt = 0;
@ -55,6 +55,16 @@ void InverterAbstract::clearRxFragmentBuffer()

 void InverterAbstract::addRxFragment(uint8_t fragment[], uint8_t len)
 {
+    if (len < 11 + 1) {
+        Serial.printf("FATAL: (%s, %d) fragment too short\n", __FILE__, __LINE__);
+        return;
+    }
+
+    if (len - 11 > MAX_RF_PAYLOAD_SIZE) {
+        Serial.printf("FATAL: (%s, %d) fragment too large\n", __FILE__, __LINE__);
+        return;
+    }
+
    uint8_t fragmentCount = fragment[9];
    if ((fragmentCount & 0b01111111) < MAX_RF_FRAGMENT_COUNT) {
        // Packets with 0x81 will be seen as 1
--- a/lib/Hoymiles/src/parser/AlarmLogParser.cpp
+++ b/lib/Hoymiles/src/parser/AlarmLogParser.cpp
@ -9,6 +9,10 @@ void AlarmLogParser::clearBuffer()

 void AlarmLogParser::appendFragment(uint8_t offset, uint8_t* payload, uint8_t len)
 {
+    if (offset + len > (ALARM_LOG_ENTRY_COUNT * ALARM_LOG_ENTRY_SIZE)) {
+        Serial.printf("FATAL: (%s, %d) stats packet too large for buffer\n", __FILE__, __LINE__);
+        return;
+    }
    memcpy(&_payloadAlarmLog[offset], payload, len);
    _alarmLogLength += len;
 }
--- a/lib/Hoymiles/src/parser/StatisticsParser.cpp
+++ b/lib/Hoymiles/src/parser/StatisticsParser.cpp
@ -14,6 +14,10 @@ void StatisticsParser::clearBuffer()

 void StatisticsParser::appendFragment(uint8_t offset, uint8_t* payload, uint8_t len)
 {
+    if (offset + len > STATISTIC_PACKET_SIZE) {
+        Serial.printf("FATAL: (%s, %d) stats packet too large for buffer\n", __FILE__, __LINE__);
+        return;
+    }
    memcpy(&_payloadStatistic[offset], payload, len);
    _statisticLength += len;
 }