Describe the bug
In the msg_api_test.c functional test (part of cfe_testcase module), this allocates a CFE_MSG_CommandHeader_t object on the stack, and then proceeds to access this object with all header access APIs.
Importantly ... this includes header accessors that are intended for TLM, which is a slightly bigger header than CMD in the default config. As the message type wasn't set to CMD, the TLM header accessors proceed, and this results in overflowing the buffer.
Describe the bug In the
msg_api_test.c
functional test (part of cfe_testcase module), this allocates aCFE_MSG_CommandHeader_t
object on the stack, and then proceeds to access this object with all header access APIs.Importantly ... this includes header accessors that are intended for TLM, which is a slightly bigger header than CMD in the default config. As the message type wasn't set to CMD, the TLM header accessors proceed, and this results in overflowing the buffer.
To Reproduce Execute CFE test cases, in particular this one: https://github.com/nasa/cFE/blob/ed1faf4663689161a1a4cf5935a7c415b625ffb1/modules/cfe_testcase/src/msg_api_test.c#L258
This attempts to set the message time in a CMD packet, which is a field that is only in TLM (at least in the default header impl).
Expected behavior The stack buffer must be allocated to allow access as CMD or TLM.
Code snips See above
System observed on: Debian with
-fsanitize=address
switch enabledAdditional context Discovered using address sanitizer
Reporter Info Joseph Hickey, Vantage Systems, Inc.