sos_filter: Improve error checking on section_idx

Validate host provided index prior to accessing memory using that index. Also, consistently use a uint8_t for max_sections (to account for integer overflow issues). Signed-off-by: Kevin O'Connor <kevin@koconnor.net>
2025-08-23 19:34:06 +02:00 · 2025-05-29 19:27:39 -04:00 · 2025-05-29 19:27:39 -04:00 · 8d7e487149
commit 8d7e487149
parent eb43b20e3b
2 changed files with 14 additions and 6 deletions
--- a/klippy/extras/sos_filter.py
+++ b/klippy/extras/sos_filter.py
@ -176,7 +176,7 @@ class SosFilter:

    # create an uninitialized filter object
    def create_filter(self):
-        self._mcu.add_config_cmd("config_sos_filter oid=%d max_sections=%u"
+        self._mcu.add_config_cmd("config_sos_filter oid=%d max_sections=%d"
            % (self._oid, self._max_sections))
        self._configure_filter(is_init=True)

--- a/src/sos_filter.c
+++ b/src/sos_filter.c
@ -87,7 +87,7 @@ sosfilt(struct sos_filter *sf, const int32_t unfiltered_value) {
 void
 command_config_sos_filter(uint32_t *args)
 {
-    uint32_t max_sections = args[1];
+    uint8_t max_sections = args[1];
    uint32_t size = offsetof(struct sos_filter, filter[max_sections]);
    struct sos_filter *sf = oid_alloc(args[0]
                            , command_config_sos_filter, size);
@ -95,7 +95,7 @@ command_config_sos_filter(uint32_t *args)
    sf->is_active = 0;
 }
 DECL_COMMAND(command_config_sos_filter, "config_sos_filter oid=%c"
-    " max_sections=%u");
+    " max_sections=%c");

 // Lookup an sos_filter
 struct sos_filter *
@ -104,6 +104,14 @@ sos_filter_oid_lookup(uint8_t oid)
    return oid_lookup(oid, command_config_sos_filter);
 }

+// Check that a section index parameter is valid
+static void
+validate_section_index(struct sos_filter *sf, uint8_t section_idx)
+{
+    if (section_idx > sf->max_sections)
+        shutdown("Filter section index larger than max_sections");
+}
+
 // Set one section of the filter
 void
 command_sos_filter_set_section(uint32_t *args)
@ -112,6 +120,7 @@ command_sos_filter_set_section(uint32_t *args)
    // setting a section marks the filter as inactive
    sf->is_active = 0;
    uint8_t section_idx = args[1];
+    validate_section_index(sf, section_idx);
    // copy section data
    const uint8_t arg_base = 2;
    for (uint8_t i = 0; i < SECTION_WIDTH; i++) {
@ -131,6 +140,7 @@ command_sos_filter_set_state(uint32_t *args)
    sf->is_active = 0;
    // copy state data
    uint8_t section_idx = args[1];
+    validate_section_index(sf, section_idx);
    const uint8_t arg_base = 2;
    sf->filter[section_idx].state[0] = args[0 + arg_base];
    sf->filter[section_idx].state[1] = args[1 + arg_base];
@ -144,9 +154,7 @@ command_sos_filter_activate(uint32_t *args)
 {
    struct sos_filter *sf = sos_filter_oid_lookup(args[0]);
    uint8_t n_sections = args[1];
-    if (n_sections > sf->max_sections) {
-        shutdown("Filter section count larger than max_sections");
-    }
+    validate_section_index(sf, n_sections);
    sf->n_sections = n_sections;
    const uint8_t coeff_int_bits = args[2];
    sf->coeff_frac_bits = (31 - coeff_int_bits);