[BUG] dlt_buffer_get allows buffer overflow.

[edgdsj]

In cases where the block saved in DLT buffer is at least 20% bigger than DLT_DAEMON_RCVBUFSIZE, the dlt_buffer_read_block method will cause a buffer overflow.

[edgdsj]

I couldn't push a branch with a fix suggestion. Do I need to fork to start an issue?

[minminlittleshrimp]

Can you share the finding via a writeup? and how this could affect dlt? is this related to dlt overflow mechanism: raise ovf flag and discard messages?

[edgdsj]

Hi @minminlittleshrimp
In the dlt_buffer_get method, we have the following code:

` /* third check size */
if (max_size && (head.size > max_size))
dlt_vlog(LOG_WARNING,
"%s: Buffer: Max size is smaller than read header size. Max size: %d\n",
func, max_size);

/* nothing to do but data does not fit provided buffer */

if ((data != NULL) && max_size) {
    /* read data */
    dlt_buffer_read_block(buf, &read, data, (unsigned int)head.size);

    if (delete)
        /* update buffer pointers */
        ((int *)(buf->shm))[1] = read; /* set new read pointer */

}

.
.
.

return head.size; `

I saw blocks much larger than max_size, which can cause a buffer overflow or corrupt memory, ending in a dlt-daemon crash. The comment says that there is nothing to do, but it is possible to copy only up to the max_size. Making like this, the only con is losing a few messages, but still much better than crashing the whole daemon.

So my purpose is this patch:

` int copy_size = head.size;

if ((data != NULL) && max_size) {
    /* third check size */
    if (head.size > max_size){
        dlt_vlog(LOG_WARNING,
                "%s: Buffer: Max size is smaller than read header size. Max size: %d. clipping message\n",
                __func__, max_size);
        copy_size = max_size;
    }
    /* read data */
    dlt_buffer_read_block(buf, &read, data, (unsigned int)copy_size);

    if (delete)
        /* update buffer pointers */
        ((int *)(buf->shm))[1] = read; /* set new read pointer */

}

.
.
.
return copy_size;`

Here we are going to copy the block until the max size, preventing the crash, and the warning message comes only in case of copying. Also, I could confirm the issue through the following unit test.

`TEST(t_dlt_buffer_get, read_buffer_smaller_than_block_size)
{
DltBuffer buf;
unsigned char write_data[DLT_DAEMON_RCVBUFSIZE + 2004] = {0}; //simulate a block 20% bigger than DLT_DAEMON_RCVBUFSIZE. The only limitation for block size is the max buffer size, so this is possible.
static char data[DLT_DAEMON_RCVBUFSIZE] = {0};

EXPECT_LE(DLT_RETURN_OK,
          dlt_buffer_init_dynamic(&buf, DLT_USER_RINGBUFFER_MIN_SIZE, DLT_USER_RINGBUFFER_MAX_SIZE,
                                  DLT_USER_RINGBUFFER_STEP_SIZE));

EXPECT_LE(DLT_RETURN_OK, dlt_buffer_push(&buf, write_data, sizeof(write_data)));
EXPECT_LE(dlt_buffer_get(&buf, (unsigned char *)data, sizeof(data), 0), sizeof(data));

EXPECT_LE(DLT_RETURN_OK, dlt_buffer_free_dynamic(&buf));

}`

[edgdsj]

@minminlittleshrimp I have closed this by accident.

[e-souza5]

@minminlittleshrimp

[minminlittleshrimp]

Hi all, we are busy a bit these days, we plan for next week starting working back on topics issue
Thanks for being patient

[aki1770-del]

We've opened PR #834 as a fix for the buffer overflow identified here. Happy to adjust the approach if the team prefers a different strategy.

AI-assisted — authored with Claude, reviewed by Komada.