From 310cbbedb11a1e1cd97ad0379a18a30977c36a80 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Beat=20K=C3=BCng?= <beat-kueng@gmx.net>
Date: Fri, 13 Jun 2025 14:15:38 +0200
Subject: [PATCH] fix septentrio: check for buffer underflow

_message.header.length - 4 is passed as unsigned to the CRC method, so if
_message.header.length < 4, the length wraps and causes invalid memory
access.
---
 src/drivers/gnss/septentrio/sbf/decoder.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/drivers/gnss/septentrio/sbf/decoder.cpp b/src/drivers/gnss/septentrio/sbf/decoder.cpp
index 14e0682074..3e742bcd3c 100644
--- a/src/drivers/gnss/septentrio/sbf/decoder.cpp
+++ b/src/drivers/gnss/septentrio/sbf/decoder.cpp
@@ -262,7 +262,7 @@ bool Decoder::done() const
 
 bool Decoder::can_parse() const
 {
-	return done() && _message.header.length <= sizeof(_message)
+	return done() && _message.header.length <= sizeof(_message) && _message.header.length > 4
 	       && _message.header.crc == buffer_crc16(reinterpret_cast<const uint8_t *>(&_message) + 4, _message.header.length - 4);
 }