From 5cd85b98c2d0d68bd1291239f8ac6984c666b58c Mon Sep 17 00:00:00 2001
From: Gene <mereweth@jpl.nasa.gov>
Date: Mon, 3 Oct 2016 17:12:08 -0700
Subject: [PATCH] Fixed app args buffer overrun in qurt px4_layer main.cpp and
 qshell.cpp

---
 src/drivers/qshell/qurt/qshell.cpp    | 10 +++++++++-
 src/platforms/qurt/px4_layer/main.cpp | 12 ++++++++++--
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/src/drivers/qshell/qurt/qshell.cpp b/src/drivers/qshell/qurt/qshell.cpp
index 56ace44e03..151797df9e 100644
--- a/src/drivers/qshell/qurt/qshell.cpp
+++ b/src/drivers/qshell/qurt/qshell.cpp
@@ -61,6 +61,8 @@
 #include <drivers/drv_hrt.h>
 #include "DriverFramework.hpp"
 
+#define MAX_ARGS 8 // max number of whitespace separated args after app name
+
 extern void init_app_map(std::map<std::string, px4_main_t> &apps);
 extern void list_builtins(std::map<std::string, px4_main_t> &apps);
 
@@ -155,10 +157,16 @@ int QShell::run_cmd(const std::vector<std::string> &appargs)
 	//replaces app.find with iterator code to avoid null pointer exception
 	for (map<string, px4_main_t>::iterator it = apps.begin(); it != apps.end(); ++it) {
 		if (it->first == command) {
-			const char *arg[2 + 1];
+			// one for command name, one for null terminator
+			const char *arg[MAX_ARGS + 2];
 
 			unsigned int i = 0;
 
+			if (appargs.size() > MAX_ARGS + 1) {
+				PX4_ERR("%d too many arguments in run_cmd", appargs.size() - (MAX_ARGS + 1));
+				return 1;
+			}
+
 			while (i < appargs.size() && appargs[i].c_str()[0] != '\0') {
 				arg[i] = (char *)appargs[i].c_str();
 				PX4_DEBUG("  arg%d = '%s'\n", i, arg[i]);
diff --git a/src/platforms/qurt/px4_layer/main.cpp b/src/platforms/qurt/px4_layer/main.cpp
index 39006cc1f1..c20f468450 100644
--- a/src/platforms/qurt/px4_layer/main.cpp
+++ b/src/platforms/qurt/px4_layer/main.cpp
@@ -51,6 +51,8 @@
 #include "apps.h"
 #include "DriverFramework.hpp"
 
+#define MAX_ARGS 8 // max number of whitespace separated args after app name
+
 using namespace std;
 
 extern void init_app_map(map<string, px4_main_t> &apps);
@@ -76,10 +78,16 @@ static void run_cmd(map<string, px4_main_t> &apps, const vector<string> &appargs
 	//replaces app.find with iterator code to avoid null pointer exception
 	for (map<string, px4_main_t>::iterator it = apps.begin(); it != apps.end(); ++it)
 		if (it->first == command) {
-			const char *arg[2 + 1];
+			// one for command name, one for null terminator
+			const char *arg[MAX_ARGS + 2];
 
 			unsigned int i = 0;
 
+			if (appargs.size() > MAX_ARGS + 1) {
+				PX4_ERR("%d too many arguments in run_cmd", appargs.size() - (MAX_ARGS + 1));
+				return;
+			}
+
 			while (i < appargs.size() && appargs[i].c_str()[0] != '\0') {
 				arg[i] = (char *)appargs[i].c_str();
 				PX4_DEBUG("  arg%d = '%s'\n", i, arg[i]);
@@ -202,7 +210,7 @@ const char *get_commands()
 	PX4_ERR("Could not open %s\n", COMMANDS_ADSP_FILE);
 
 	static const char *commands =
-		"uorb start\n"
+		"uorb start\nqshell start\n"
 		;
 
 	return commands;