fly316/PX4-Autopilot
7
0
Fork 0
mirror of https://gitee.com/mirrors_PX4/PX4-Autopilot.git synced 2026-04-14 10:07:39 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(crsf_rc): validate variable-length packet size before buffer copy

Browse Source 
Variable-length known packet types (CRSF_PACKET_TYPE_ELRS_STATUS,
CRSF_PACKET_TYPE_LINK_STATISTICS_TX, CRSF_PACKET_TYPE_MSP_WRITE)
bypassed the bounds check that exists for unknown packets. A crafted
packet with a large size field could overflow the 64-byte process_buffer
during QueueBuffer_PeekBuffer() in the CRC state.

Apply the same CRSF_MAX_PACKET_LEN bounds check to variable-length
known packets that already exists for unknown packets.

Fixes GHSA-mqgj-hh4g-fg5p

Signed-off-by: Ramon Roche <mrpollo@gmail.com>
This commit is contained in:
Ramon Roche 2026-03-12 20:56:08 -07:00
parent e8e86a2e0f
commit bf4fac7e61
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
src/drivers/rc/crsf_rc/CrsfParser.cpp
View File

@ -401,6 +401,15 @@ bool CrsfParser_TryParseCrsfPacket(CrsfPacket_t *const new_packet, CrsfParserSta
if (working_descriptor->packet_size == -1) {
working_segment_size = packet_size - PACKET_SIZE_TYPE_SIZE;
if (working_index + working_segment_size + CRC_SIZE > CRSF_MAX_PACKET_LEN) {
parser_statistics->invalid_known_packet_sizes++;
parser_state = PARSER_STATE_HEADER;
working_segment_size = HEADER_SIZE;
working_index = 0;
buffer_count = QueueBuffer_Count(&rx_queue);
continue;
}
} else {
if (packet_size != working_descriptor->packet_size + PACKET_SIZE_TYPE_SIZE) {
parser_statistics->invalid_known_packet_sizes++;