Fix MAVLink message bounds validation vulnerabilities (Stable_V5.0 backport)#14068
Merged
DonLakeFlyer merged 2 commits intoStable_V5.0from Mar 6, 2026
Merged
Conversation
Harden MAVLink message handlers against malicious or malformed payloads that could trigger out-of-bounds memory access. ImageProtocolManager (GHSA-v5rc-wh3c-c4cw): - Validate DATA_TRANSMISSION_HANDSHAKE fields (size, payload, packets) before allocating the image buffer - Enforce 1 MB upper bound on image size - Reject payload values exceeding ENCAPSULATED_DATA data[253] array size - Pre-allocate image buffer to declared size instead of growing via unchecked indexed writes - Replace byte-by-byte copy loop with bounds-clamped memcpy - Cast seqnr to uint32_t before multiplication to prevent overflow Vehicle (LOG_DATA): - Add bounds check on log.count against sizeof(log.data) before emitting the signal, preventing downstream consumers from reading past the 90-byte data array FTPManager (FILE_TRANSFER_PROTOCOL): - Validate hdr.size against sizeof(request->data) at the single message entry point, protecting all downstream handlers (burst read, list directory, fill missing blocks) from reading past the 239-byte data array Fixes: GHSA-v5rc-wh3c-c4cw
Contributor
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of #14067 to Stable_V5.0.
Harden MAVLink message handlers against malicious or malformed payloads that could trigger out-of-bounds memory access.
Fixes https://github.com/mavlink/qgroundcontrol/security/advisories/GHSA-v5rc-wh3c-c4cw
ImageProtocolManager (
GHSA-v5rc-wh3c-c4cw)DATA_TRANSMISSION_HANDSHAKEfields (size,payload,packets) before allocating the image bufferpayloadvalues exceedingENCAPSULATED_DATAdata[253]array sizememcpyseqnrtouint32_tbefore multiplication to prevent overflowVehicle (
LOG_DATA)log.countagainstsizeof(log.data)before emitting the signal, preventing downstream consumers from reading past the 90-byte data arrayFTPManager (
FILE_TRANSFER_PROTOCOL)hdr.sizeagainstsizeof(request->data)at the single message entry point, protecting all downstream handlers (burst read, list directory, fill missing blocks) from reading past the 239-byte data array