fix(security): backport security fixes to release/1.17#26741
Merged
mrpollo merged 7 commits intorelease/1.17from Mar 13, 2026
Merged
fix(security): backport security fixes to release/1.17#26741mrpollo merged 7 commits intorelease/1.17from
mrpollo merged 7 commits intorelease/1.17from
Conversation
Reject replies with length >= sizeof(BSTPacket) to prevent OOB read in CRC calculation. Clamp dev_name_len to buffer size to prevent OOB write during null termination. Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Add bounds checking in the CAN frame assembly loop to prevent a buffer overflow when copying payloads into the Tattu12SBatteryMessage struct. A crafted CAN frame with a corrupt payload_size could write past the 48-byte struct boundary. Also guard against payload_size of 0 which would cause an unsigned integer underflow on the size_t subtraction. Fixes GHSA-wxwm-xmx9-hr32 Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Add _validatePath() that rejects paths containing ".." components, preventing directory traversal outside the FTP root directory. Applied to all FTP operation handlers (list, open, remove, truncate, rename, mkdir, rmdir, CRC32). Fixes GHSA-fh32-qxj9-x32f, GHSA-pm28-2j4f-8jxv Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Remove the old MAVLINK_FTP_UNIT_TEST infrastructure that has been dead code for years (not enabled in any board config). This includes: - src/modules/mavlink/mavlink_tests/ directory (test suite, CMakeLists) - All #ifdef MAVLINK_FTP_UNIT_TEST blocks in mavlink_ftp.cpp - set_unittest_worker() callback mechanism in mavlink_ftp.h - Conditional uAvionix include in mavlink_bridge_header.h The test suite will be ported to GTest as a follow-up. Ref: #26738 Signed-off-by: Ramon Roche <mrpollo@gmail.com>
…tions Use logical OR (||) instead of AND (&&) in _workWrite() and _workBurst() session validation, matching the correct logic already used in _workRead() and _workTerminate(). The AND operator allowed operations to proceed with an invalid session ID as long as a valid file descriptor existed. Signed-off-by: Ramon Roche <mrpollo@gmail.com>
Reject Zenoh payloads that exceed the expected uORB topic size plus CDR header (4 bytes), or that are too small to contain a valid CDR header. This prevents a stack overflow from crafted network input where z_bytes_len(payload) controls a VLA allocation. Fixes GHSA-69g4-hcqf-j45p Signed-off-by: Ramon Roche <mrpollo@gmail.com>
The mavlink_tests module was deleted in 1009268 but several references were left behind, breaking builds on all targets. Removed: - CMakeLists.txt: add_subdirectory(mavlink_tests) - mavlink_ftp.cpp: #include of deleted mavlink_ftp_test.h - mavlink_ftp.h: MavlinkFtpTest forward decl and friend class - posix-configs/SITL/init/test/test_mavlink: dead init script - sitl_tests.cmake: sitl-mavlink CTest target - install-voxl.sh: px4-mavlink_tests symlink Ref: #26738 Signed-off-by: Ramon Roche <mrpollo@gmail.com>
🔎 FLASH Analysispx4_fmu-v5x [Total VM Diff: 272 byte (0.01 %)]px4_fmu-v6x [Total VM Diff: 224 byte (0.01 %)]Updated: 2026-03-13T17:57:40 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security fixes backported from main for inclusion in v1.17.0-rc2.
This is the first time we're accepting a PR into a release branch this late. These are all security-only changes with no new features.
Fixes included:
fix(telemetry/bst): validate reply length and dev_name_len before use (GHSA-79mp)fix(tattu_can): validate CAN frame bounds before buffer copy (GHSA-wxwm)fix(mavlink): reject path traversal sequences in FTP operations (GHSA-fh32)refactor(mavlink): remove dead FTP unit test codefix(mavlink): correct session validation in FTP write and burst operations (GHSA-pp2c)fix(zenoh): validate payload size before stack allocation (GHSA-69g4)Not included:
fix(crsf_rc)(GHSA-mqgj): the vulnerable code paths (variable-length CRSF packet types) were introduced in PR [vtx] Add support for VTX control via Tramp and SmartAudio protocols #25694 which only landed on main, not release/1.17. The vulnerability does not exist on this branch.Draft because we're still waiting on PR #26740 (CMakeLists cleanup for removed
mavlink_tests/directory) to merge to main before cherry-picking here.