Fix potential buffer overflow in exc_FOEread/write

An excessively long filename could overflow the mailbox buffer. Fix by limiting the filename size to EC_MAXFOEDATA. Problem found and fix proposed by m1etz.
OpenEtherCATsociety · Apr 4, 2024 · 83c6264 · 83c6264
1 parent d478bce
commit 83c6264
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/soem/ethercatfoe.c b/soem/ethercatfoe.c
@@ -87,6 +87,10 @@ int ecx_FOEread(ecx_contextt *context, uint16 slave, char *filename, uint32 pass
    aFOEp = (ec_FOEt *)&MbxIn;
    FOEp = (ec_FOEt *)&MbxOut;
    fnsize = (uint16)strlen(filename);
+   if (fnsize > EC_MAXFOEDATA)
+   {
+      fnsize = EC_MAXFOEDATA;
+   }
    maxdata = context->slavelist[slave].mbx_l - 12;
    if (fnsize > maxdata)
    {
@@ -216,6 +220,10 @@ int ecx_FOEwrite(ecx_contextt *context, uint16 slave, char *filename, uint32 pas
    FOEp = (ec_FOEt *)&MbxOut;
    dofinalzero = TRUE;
    fnsize = (uint16)strlen(filename);
+   if (fnsize > EC_MAXFOEDATA)
+   {
+      fnsize = EC_MAXFOEDATA;
+   }
    maxdata = context->slavelist[slave].mbx_l - 12;
    if (fnsize > maxdata)
    {