fix(nebula_core_hw_interfaces): add bounds checking for CAN FD frame reception

drwnz · drwnz · commit 997d1e31f173 · 2026-03-05T08:53:32.000+09:00
Signed-off-by: David Wong &lt;david.wong@tier4.jp&gt;
diff --git a/src/nebula_core/nebula_core_hw_interfaces/include/nebula_core_hw_interfaces/nebula_hw_interfaces_common/connections/can.hpp b/src/nebula_core/nebula_core_hw_interfaces/include/nebula_core_hw_interfaces/nebula_hw_interfaces_common/connections/can.hpp
@@ -255,8 +255,21 @@ class CanSocket
     if (status == -1) throw SocketError(errno);
     if (status == 0) return false;
 
-    ssize_t recv_result = receive_frame_with_metadata(&frame, sizeof(frame), metadata);
-    if (static_cast<size_t>(recv_result) < sizeof(frame)) {
+    size_t recv_result = receive_frame_with_metadata(&frame, sizeof(frame), metadata);
+
+    if (recv_result < sizeof(frame.can_id) + sizeof(frame.len)) {
+      throw SocketError("Corrupted CAN frame received");
+    }
+
+    if (frame.len > CANFD_MAX_DLEN) {
+      throw SocketError("Frame length is larger than max allowed CAN FD payload length");
+    }
+
+    const auto data_length = static_cast<size_t>(frame.len);
+    // some CAN FD frames are shorter than 64 bytes
+    const auto expected_length = sizeof(frame) - sizeof(frame.data) + data_length;
+
+    if (recv_result < expected_length) {
       throw SocketError("Incomplete CAN FD frame received");
     }
     return true;
