Describe the bug

A stack-buffer-overflow vulnerability exists in PX4’s mavlink_log_handler.cpp/.h when handling logs: LogEntry.filepath is a fixed-size buffer (~60 bytes), but logdata.txt parsing uses sscanf(..., "%s", entry->filepath) without a width limit, so an overly long filename/path token can overflow the stack and crash. In practice this is remotely triggerable via the FTP microservice: an attacker creates a log file in the log directory with an excessively long filename, then sends LOG_REQUEST_LIST (receiving LOG_ENTRY) followed by LOG_REQUEST_DATA; when the handler processes the long filename during log access/parsing, the unbounded %s write overflows LogEntry.filepath, leading to a remote denial-of-service and potentially more severe memory-corruption impact.

To Reproduce

1.armed and takeoff
3.send an FTP message to create an attack file
4.send an LOG_REQUEST_FILE and recvive LOG_ENTRY
5.send an LOG_REQUEST_DATA (poc)
6.crashed

Expected behavior

PX4-Autopilot should respond to LOG_REQUEST_LIST / LOG_REQUEST_DATA normally, and a log entry with an overly long filename should be rejected (or sanitized) instead of causing a crash.

Screenshot / Media

Flight Log

No response

Software Version

main branch

Flight controller

px4 sitl

Vehicle type

None

How are the different components wired up (including port information)

No response

Additional context

No response