Describe the bug
CFE_EVS_ProcessCommandPacket() processes SEND_HK_MID messages by directly casting the buffer to CFE_EVS_SendHkCmd_t * without calling CFE_EVS_VerifyCmdLength(). All other command codes in CFE_EVS_ProcessGroundCommand() use VerifyCmdLength before casting. A malformed/truncated packet can cause OOB read when EVS accesses the struct fields.
This is the same root cause as #971 (TIME DATA_CMD_MID missing length validation) and #986 (ES SEND_HK_MID missing length validation).
To Reproduce
- Send a
CFE_EVS_SEND_HK_MID packet with size < sizeof(CFE_EVS_SendHkCmd_t)
- EVS processes it without validation
- OOB read when fields are accessed
Expected behavior
CFE_EVS_ProcessCommandPacket() should call CFE_EVS_VerifyCmdLength(&SBBufPtr->Msg, sizeof(CFE_EVS_SendHkCmd_t)) before casting.
Code snips
File: cfe/modules/evs/fsw/src/cfe_evs_dispatch.c, function CFE_EVS_ProcessCommandPacket():
if (CFE_SB_MsgId_Equal(MessageID, SEND_HK_MID))
{
CFE_EVS_SendHkCmd((const CFE_EVS_SendHkCmd_t *)SBBufPtr); // بدون VerifyCmdLength!
}Reporter Info
Erfan, Independent Space Software Security Researcher
Describe the bug
CFE_EVS_ProcessCommandPacket()processesSEND_HK_MIDmessages by directly casting the buffer toCFE_EVS_SendHkCmd_t *without callingCFE_EVS_VerifyCmdLength(). All other command codes inCFE_EVS_ProcessGroundCommand()useVerifyCmdLengthbefore casting. A malformed/truncated packet can cause OOB read when EVS accesses the struct fields.This is the same root cause as #971 (TIME DATA_CMD_MID missing length validation) and #986 (ES SEND_HK_MID missing length validation).
To Reproduce
CFE_EVS_SEND_HK_MIDpacket with size <sizeof(CFE_EVS_SendHkCmd_t)Expected behavior
CFE_EVS_ProcessCommandPacket()should callCFE_EVS_VerifyCmdLength(&SBBufPtr->Msg, sizeof(CFE_EVS_SendHkCmd_t))before casting.Code snips
File:
cfe/modules/evs/fsw/src/cfe_evs_dispatch.c, functionCFE_EVS_ProcessCommandPacket():Reporter Info
Erfan, Independent Space Software Security Researcher