PX4 Autopilot Stack-Based Buffer Overflow Vulnerability in MAVLink Log Handler

A stack-based buffer overflow vulnerability has been identified in the PX4 Autopilot MAVLink log handler, affecting versions through 1.17.0-rc2. The vulnerability arises because the LogEntry.filepath buffer, which is limited to 60 bytes, is parsed by the sscanf function without a width specifier. This oversight allows paths longer than 60 characters to overflow the buffer. An attacker with access to the MAVLink link can exploit this by creating deeply nested directories via MAVLink FTP, then requesting the log list, which triggers the overflow. The exploitation causes the flight controller's MAVLink task to crash, disrupting telemetry and command capabilities, and leading to a denial-of-service condition.

Impact

Exploitation of this vulnerability causes the flight controller's MAVLink task to crash, resulting in a loss of telemetry and command capabilities, and creating a denial-of-service condition.

Reproduction

To reproduce this vulnerability, first upload a directory structure via MAVLink FTP that creates paths longer than 60 characters. Then, send a MAVLink log request that triggers the log list parsing. The absence of a width specifier in the sscanf function will allow the overflow to occur, causing a stack-based buffer overflow.

Remediation

This vulnerability has been fixed by resizing the LogEntry.filepath to accommodate the maximum filepath length, adding width specifiers to the sscanf calls to prevent overflow, and implementing a static assertion to ensure the scanf width is less than the buffer size at compile time.