Array ota_info.md5 out of boundaries on OTA when calling base64_decode #67
Comments
|
looks like you are absolutely right, I think the Problem is that the decoded message is in fact 16 byte long, which is absolutely right, but then at the End of the Function the String Terminator (\0) gets addet, which is the 17th byte and like you said this is overflowing. |
|
one verry interesting thing is also, that the Function base64_decode also gets used to decode the whole Firmware sent over the OTA function. This means that every Block of Memmory has a String Terminator (B00000000) at the End, maybe the Instruction (B00000000) doesn't do anything (maybe the NOP Instruction) but it defently gets written in the Flash! I'm thinking about just removing the String Terminator in the base64_decode, because if you really want to use String Functions on the decoded CharArray, you could just add the Terminator after you called base64_decode. besides the only 2 times the Function is cadded is for decoding the MD5 sum and decoding the OTA binary packets. And base64_encode isn't called at all |
String Terminator was a verry bad Idea, because it causes an Overflow in decoding the MD5 Sum and writing String Terminators in the executed Flash by an OTA Update see PhracturedBlue#67
String Terminator was a verry bad Idea, because it causes an Overflow in decoding the MD5 Sum and writing String Terminators in the executed Flash by an OTA Update see PhracturedBlue#67
Version Information:
Description of problem:
Probable overflow of
ota_info.md5onhttps://github.com/PhracturedBlue/ESP8266MQTTMesh/blob/master/src/ESP8266MQTTMesh.cpp#L754
in function base64_decode(..)
https://github.com/PhracturedBlue/ESP8266MQTTMesh/blob/master/src/Base64.cpp#L59
I just tested it and, according to my tests,
decLengoes up to 16. Thus,ota_info.md5goes out of it boundaries.The text was updated successfully, but these errors were encountered: