Crash in protocol_process_ReadValue due to missing Initialisation of newMsg
HorizontalCar opened this issue · 0 comments
HorizontalCar commented
Hello,
I have been testing automated firmware testing tools and found an input that results in a crash.
Crash occurs in protocol_process_ReadValue at protocol.c:48.24. newMsg->code is not initialized thus crashing the program due to an invalid memory read.
Cause:
Initialisation of newMsg missing on line ascii_proto_func.c:414
PROTOCOL_MSG3full newMsg;
memset((void*)&newMsg,0x00,sizeof(PROTOCOL_MSG3full));
// Missing
// newMsg.code = s->params[i]->code;
// newMsg.cmd = PROTOCOL_CMD_READVALRESPONSE;
if (s->params[i]->fn) s->params[i]->fn( s, s->params[i], PROTOCOL_CMD_SILENTREAD, &newMsg);
sprintf(ascii_out, "%s(%s): %d\r\n",
(s->params[i]->description)?s->params[i]->description:"",
s->params[i]->uistr,
(int)*(short *)s->params[i]->ptr
);
s->send_serial_data_wait((unsigned char *)ascii_out, strlen(ascii_out));
ascii_out[0] = 0; // don't print last one twice```