From bf4fac7e61413ef35959505b337c1168d0fd76bb Mon Sep 17 00:00:00 2001
From: Ramon Roche <mrpollo@gmail.com>
Date: Thu, 12 Mar 2026 20:56:08 -0700
Subject: [PATCH] fix(crsf_rc): validate variable-length packet size before
 buffer copy

Variable-length known packet types (CRSF_PACKET_TYPE_ELRS_STATUS,
CRSF_PACKET_TYPE_LINK_STATISTICS_TX, CRSF_PACKET_TYPE_MSP_WRITE)
bypassed the bounds check that exists for unknown packets. A crafted
packet with a large size field could overflow the 64-byte process_buffer
during QueueBuffer_PeekBuffer() in the CRC state.

Apply the same CRSF_MAX_PACKET_LEN bounds check to variable-length
known packets that already exists for unknown packets.

Fixes GHSA-mqgj-hh4g-fg5p

Signed-off-by: Ramon Roche <mrpollo@gmail.com>
---
 src/drivers/rc/crsf_rc/CrsfParser.cpp | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/drivers/rc/crsf_rc/CrsfParser.cpp b/src/drivers/rc/crsf_rc/CrsfParser.cpp
index 1e8b8e0d0c..bddbadfe27 100644
--- a/src/drivers/rc/crsf_rc/CrsfParser.cpp
+++ b/src/drivers/rc/crsf_rc/CrsfParser.cpp
@@ -401,6 +401,15 @@ bool CrsfParser_TryParseCrsfPacket(CrsfPacket_t *const new_packet, CrsfParserSta
 				if (working_descriptor->packet_size == -1) {
 					working_segment_size = packet_size - PACKET_SIZE_TYPE_SIZE;
 
+					if (working_index + working_segment_size + CRC_SIZE > CRSF_MAX_PACKET_LEN) {
+						parser_statistics->invalid_known_packet_sizes++;
+						parser_state = PARSER_STATE_HEADER;
+						working_segment_size = HEADER_SIZE;
+						working_index = 0;
+						buffer_count = QueueBuffer_Count(&rx_queue);
+						continue;
+					}
+
 				} else {
 					if (packet_size != working_descriptor->packet_size + PACKET_SIZE_TYPE_SIZE) {
 						parser_statistics->invalid_known_packet_sizes++;