From 891a2a87b7f61945f9ffe8a373e98b27d132e1da Mon Sep 17 00:00:00 2001 From: Ember Date: Sat, 4 Apr 2026 17:02:53 -0700 Subject: [PATCH] =?UTF-8?q?Fix=20upper=20bound=20in=20length=20check:=2050?= =?UTF-8?q?=20=E2=86=92=2046=20to=20match=20buffer=20geometry?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The memcpy writes (length - 4) bytes at offset 8 into a 50-byte buffer, so the maximum safe length is 46 (8 + 42 = 50), not 50. With length=50 the previous check still allowed a 4-byte stack overflow. --- DMRNetwork.cpp | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/DMRNetwork.cpp b/DMRNetwork.cpp index cf110c6..290f613 100644 --- a/DMRNetwork.cpp +++ b/DMRNetwork.cpp @@ -252,7 +252,7 @@ bool CDMRNetwork::writeRadioPosition(const unsigned char* data, unsigned int len if (!m_location) return false; - if (length < 4U || length > 50U) + if (length < 4U || length > 46U) return false; unsigned char buffer[50U]; @@ -271,7 +271,7 @@ bool CDMRNetwork::writeTalkerAlias(const unsigned char* data, unsigned int lengt if (m_status != STATUS::RUNNING) return false; - if (length < 4U || length > 50U) + if (length < 4U || length > 46U) return false; unsigned char buffer[50U];