Fix heap buffer overflow on DMRG/DMRA packets

Incoming DMRG and DMRA packets were copied into 50-byte buffers without checking the packet length. UDP reads can return up to 500 bytes, overflowing the heap allocation. Drop oversized packets.
2026-04-06 06:53:40 +00:00 · 2026-04-04 16:49:19 -07:00 · 2026-04-04 16:49:19 -07:00 · f697c1de8c
commit f697c1de8c
parent 0e04ebae0f
1 changed files with 8 additions and 4 deletions
--- a/MMDVMNetwork.cpp
+++ b/MMDVMNetwork.cpp
@ -276,11 +276,15 @@ void CMMDVMNetwork::clock(unsigned int ms)
 		m_rxData.addData(&len, 1U);
 		m_rxData.addData(m_buffer, len);
 	} else if (::memcmp(m_buffer, "DMRG", 4U) == 0) {
-		::memcpy(m_radioPositionData, m_buffer, length);
-		m_radioPositionLen = length;
+		if (length <= 50U) {
+			::memcpy(m_radioPositionData, m_buffer, length);
+			m_radioPositionLen = length;
+		}
 	} else if (::memcmp(m_buffer, "DMRA", 4U) == 0) {
-		::memcpy(m_talkerAliasData, m_buffer, length);
-		m_talkerAliasLen = length;
+		if (length <= 50U) {
+			::memcpy(m_talkerAliasData, m_buffer, length);
+			m_talkerAliasLen = length;
+		}
 	} else if (::memcmp(m_buffer, "DMRC", 4U) == 0) {
 		m_id = (m_buffer[4U] << 24) | (m_buffer[5U] << 16) | (m_buffer[6U] << 8) | (m_buffer[7U] << 0);