Mavgen C: Use strncpy instead of memcpy to pack char[n] fields #922
Conversation
|
@peterbarker Can you please look at this. Fixes #725 which has come up a few times as a problem, in particular for new users after they have discovered this the hard way. |
| if (src == NULL) { | ||
| memset(dest, 0, n); | ||
| } else { | ||
| strncpy(dest, src, n); |
There was a problem hiding this comment.
the problem is that this will leave the bytes after the string uninitialised, which leaks information and will change the CRC. I think we need to have a mav_strcpy() which zero fills
There was a problem hiding this comment.
Hi. My understanding of strncpy is that it already will zero-fill the destination buffer up to n, in the case where the src buffer is shorter.
e.g. this page states "If the array pointed to by s2 is a string that is shorter than n bytes, NUL characters shall be appended to the copy in the array pointed to by s1, until n bytes in all are written."
There was a problem hiding this comment.
I didn't know that strncpy fills with zeros. I also always assumed it just wrote only one zero. In that case, I think this should work.
@tridge do you agree?
There was a problem hiding this comment.
I'm bumping this as it would be nice to have!
There was a problem hiding this comment.
hmm, it does seem to be guaranteed by the strncpy definition
If the length of src is less than n, strncpy() writes additional null bytes to dest to ensure that a total of n bytes are written.
There was a problem hiding this comment.
I've added a code comment to each strncpy call to say this, as it is indeed not a very known feature:
/* strncpy will zero pad dest array up to n bytes */
Is this then ok to resolve the review comment?
Also rebased to latest master.
Uses new macros mavlink_array_assign_[type] in place of direct calls to mav_array_memcpy. The 'char' version then uses strncpy, while others call mav_array_memcpy as before Update _mav_put_char_array function to use strncpy
shancock884
force-pushed
the
iss725-string-serializarion
branch
from
366ebe5
to
f88ec4f
Compare
|
On Tue, 17 Sep 2024, Simon Hancock wrote:
/* strncpy will zero pad dest array up to n bytes */
Not a blocker at all, but I will note that ArduPilot's "strncpy_noterm"
does not obey this rule.
|
|
So there is no reason this can't go in @peterbarker? Can you merge? |
The aim of this PR is to fix #725 and fix mavlink/mavlink#1946
Current situation:
At present when a user calls the
mavlink_msg_<message>_packfunction on a message containing char[n] fields, these fields will be copied into the destination buffer using memcpy. This can go wrong in a couple of ways, if end users are not careful, for example....These extra bytes will stop the Mavlink 2 message-truncation from being as efficient as it can be, and may confuse some receivers.
Proposal:
This PR proposes to use the strncpy function when packing char arrays, as I believe that this aligns with the way in which Mavlink char array fields are specified and used:
This should both protect against reading bad memory, and also ensure bytes beyond the length of short strings are zero, allowing the Mavlink 2 message truncation to work properly.
For little-endian and struct-aligned cases:
This is done by replacing the calls to
mav_array_memcpyin mavgen_c.py with type-specific array assignment macrosmavlink_array_assign_[type].For char arrays, this uses
strncpy(after check that input is not null pointer).For other arrays, this is a thin-macro which calls
mav_array_memcpy, as per current behaviour.Big big-endian or non-struct-aligned cases:
This is done by an update to the existing
_mav_put_char_arrayfunction to usestrncpy(after check that input is not null pointer).Testing
I've tested this update (in particular using the PARAM_REQUEST_READ and PLAY_TUNE messages) on my system.
I also checked compilation with MAVLINK_ALIGNED_FIELDS=0.