Skip to content

Fix stack buffer overflow in mavlink_log_handler logdata.txt parsing #26124

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 7 commits into
base: main
Choose a base branch
from
Draft

Fix stack buffer overflow in mavlink_log_handler logdata.txt parsing #26124

Copilot wants to merge 7 commits into from
+21 −4

Conversation

Copy link
Contributor

Copilot AI commented Dec 15, 2025
edited
Loading

Stack buffer overflow in mavlink_log_handler.cpp when parsing logdata.txt: LogEntry.filepath (60 bytes) written with unbounded sscanf("%s", ...). Remotely exploitable via FTP - attacker creates log file with long filename, triggers crash via LOG_REQUEST_DATA.

Changes

Buffer size increase

  • LogEntry.filepath: 60 → 256 bytes (LOG_FILEPATH_SIZE constant)

Bounded sscanf

// Before (vulnerable)
sscanf(line, "%" PRIu32 " %" PRIu32 " %s", &time_utc, &size_bytes, filepath)

// After (safe)
sscanf(line, "%" PRIu32 " %" PRIu32 " %" LOG_FILEPATH_SCANF_WIDTH "s", &time_utc, &size_bytes, filepath)
// where LOG_FILEPATH_SCANF_WIDTH = "255"

Compile-time safety

  • static_assert(PX4_MAX_FILEPATH >= LOG_FILEPATH_SIZE) - prevents NuttX configs with insufficient path size
  • static_assert(LOG_FILEPATH_SIZE == 256) - enforces synchronization with width specifier

Files Modified

  • mavlink_log_handler.h: Define LOG_FILEPATH_SIZE constant, update struct
  • mavlink_log_handler.cpp: Add width specifiers to both sscanf calls (lines 189, 524), add assertions
Original prompt

This section details on the original issue you should resolve

<issue_title>[Bug] Stack buffer overflow in mavlink_log_handler when parsing logdata.txt due to unbounded sscanf("%s") into LogEntry.filepath</issue_title>
<issue_description>### Describe the bug

A stack-buffer-overflow vulnerability exists in PX4’s mavlink_log_handler.cpp/.h when handling logs: LogEntry.filepath is a fixed-size buffer (~60 bytes), but logdata.txt parsing uses sscanf(..., "%s", entry->filepath) without a width limit, so an overly long filename/path token can overflow the stack and crash. In practice this is remotely triggerable via the FTP microservice: an attacker creates a log file in the log directory with an excessively long filename, then sends LOG_REQUEST_LIST (receiving LOG_ENTRY) followed by LOG_REQUEST_DATA; when the handler processes the long filename during log access/parsing, the unbounded %s write overflows LogEntry.filepath, leading to a remote denial-of-service and potentially more severe memory-corruption impact.

To Reproduce

1.armed and takeoff
3.send an FTP message to create an attack file
4.send an LOG_REQUEST_FILE and recvive LOG_ENTRY
5.send an LOG_REQUEST_DATA (poc)
6.crashed

Expected behavior

PX4-Autopilot should respond to LOG_REQUEST_LIST / LOG_REQUEST_DATA normally, and a log entry with an overly long filename should be rejected (or sanitized) instead of causing a crash.

Screenshot / Media

Image Image Image Image

Flight Log

No response

Software Version

main branch

Flight controller

px4 sitl

Vehicle type

None

How are the different components wired up (including port information)

No response

Additional context

No response</issue_description>

Comments on the Issue (you are @copilot in this section)

@farhangnaderi @MaEtUgR might know what is going on here?

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot AI and others added 6 commits December 15, 2025 21:37
@dakejahl
Fix stack buffer overflow in mavlink_log_handler sscanf calls
338595e 
- Increase LogEntry.filepath buffer from 60 to 256 bytes
- Add width specifiers to sscanf calls (%255s and %1023s) to prevent buffer overflow
- Prevents remote DoS vulnerability when parsing logdata.txt with excessively long filenames

Co-authored-by: dakejahl <37091262+dakejahl@users.noreply.github.com>
@dakejahl
Add static_assert and use consistent %255s width specifier
8e0caba 
- Add static_assert to ensure PX4_MAX_FILEPATH >= 256 at compile time
- Use %255s consistently for both sscanf calls to prevent overflow
- Add explanatory comments for the width specifier choice
- Addresses code review feedback about potential overflow on NuttX

Co-authored-by: dakejahl <37091262+dakejahl@users.noreply.github.com>
@dakejahl
Define LOG_FILEPATH_SIZE constant for maintainability
5037a96 
- Add LOG_FILEPATH_SIZE constant (256) in both header and cpp
- Update LogEntry.filepath to use the constant
- Improve comments explaining width specifier relationship
- Addresses code review feedback about magic numbers

Co-authored-by: dakejahl <37091262+dakejahl@users.noreply.github.com>
@dakejahl
Remove duplicate constant and use header LOG_FILEPATH_SIZE
5cdc783 
- Remove duplicate LOG_FILEPATH_SIZE macro from cpp file
- Use MavlinkLogHandler::LOG_FILEPATH_SIZE consistently throughout
- Update local filepath buffer to use the same size as LogEntry.filepath
- Addresses code review feedback about duplication and consistency

Co-authored-by: dakejahl <37091262+dakejahl@users.noreply.github.com>
@dakejahl
Use LOG_FILEPATH_SCANF_WIDTH macro for format specifier
ca336fb 
- Define LOG_FILEPATH_SCANF_WIDTH macro for the sscanf width specifier
- Replace hardcoded '255' with the named macro in both sscanf calls
- Improves maintainability and makes the relationship between buffer size and width explicit
- Addresses final code review feedback about magic numbers

Co-authored-by: dakejahl <37091262+dakejahl@users.noreply.github.com>
@dakejahl
Add static_assert to verify LOG_FILEPATH_SCANF_WIDTH is synchronized
fe7bf84 
- Add compile-time check that LOG_FILEPATH_SIZE == 256
- Ensures LOG_FILEPATH_SCANF_WIDTH stays synchronized if buffer size changes
- Provides clear error message if someone modifies LOG_FILEPATH_SIZE

Co-authored-by: dakejahl <37091262+dakejahl@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix stack buffer overflow in mavlink_log_handler Fix stack buffer overflow in mavlink_log_handler logdata.txt parsing Dec 15, 2025
Copilot AI requested a review from dakejahl December 15, 2025 21:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dakejahl dakejahl Awaiting requested review from dakejahl

At least 1 approving review is required to merge this pull request.

Assignees

@dakejahl dakejahl

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Bug] Stack buffer overflow in mavlink_log_handler when parsing logdata.txt due to unbounded sscanf("%s") into LogEntry.filepath

2 participants

@dakejahl