Fix out-of-bounds read in VoiceKit::dfu_reboot_()#554
Open
teancom wants to merge 1 commit intoesphome:devfrom
Open
Fix out-of-bounds read in VoiceKit::dfu_reboot_()#554teancom wants to merge 1 commit intoesphome:devfrom
teancom wants to merge 1 commit intoesphome:devfrom
Conversation
The reboot_req array had 3 elements but write() was called with a hardcoded length of 4, reading one byte past the array from the stack. Add the missing payload byte required by the XMOS DFU protocol and use sizeof(reboot_req) instead of a hardcoded length to prevent mismatch. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The reboot_req array had 3 elements but write() was called with a hardcoded length of 4, reading one byte past the array from the stack. Add the missing payload byte required by the XMOS DFU protocol and use sizeof(reboot_req) instead of a hardcoded length to prevent mismatch.
Note that this worked previously because the XMOS device doesn't actually care what's in the command byte, so any value we send is fine. This cleanup is to help save the next person who wonders why we declare are array of 3 bytes and send 4 bytes some worry, it changes no functionality.