Potential Buffer Overrun in CANMessage Constructor

[daniel-starke]

Description of defect

The CANMessage constructor takes data and length in two variants. Both variants limit the length to 8 byte when setting the internal length member but fail to use that instead of the unlimited input parameter _len when performing the memcpy() from the passed data pointer. This leads into a potential buffer overrun if an invalid data length is passed to the constructor. I suggest to use len instead of _len for memcpy() in both instances of the constructor. See source code.

Target(s) affected by this defect ?

Every target that supports the CAN bus.

Toolchain(s) (name and version) displaying this defect ?

None. This was found by manual code analysis.

What version of Mbed-os are you using (tag or sha) ?

mbed-os-99.99.99
sha: 5933dec

What version(s) of tools are you using. List all that apply (E.g. mbed-cli)

None.

How is this defect reproduced ?

Code analysis.

[ciarmcom]

Internal Jira reference: https://jira.arm.com/browse/MBOTRIAGE-2521

[0xc0170]

@daniel-starke Thanks for the report. Can you please send a pull request fixing this issue?