fix(telemetry/bst): validate reply length and dev_name_len before use

Reject replies with length >= sizeof(BSTPacket) to prevent OOB read in CRC calculation. Clamp dev_name_len to buffer size to prevent OOB write during null termination. Signed-off-by: Ramon Roche <mrpollo@gmail.com>
2026-04-14 10:07:39 +08:00 · 2026-03-12 20:41:53 -07:00 · 2026-03-12 20:41:53 -07:00 · e8e86a2e0f
commit e8e86a2e0f
parent a9f2e0e44e
1 changed files with 10 additions and 0 deletions
--- a/src/drivers/telemetry/bst/bst.cpp
+++ b/src/drivers/telemetry/bst/bst.cpp
@ -197,6 +197,12 @@ int BST::probe()
 	}

 	uint8_t *reply_raw = reinterpret_cast<uint8_t *>(&dev_info_reply);
+
+	if (dev_info_reply.length >= sizeof(dev_info_reply)) {
+		PX4_ERR("invalid reply length: %u", dev_info_reply.length);
+		return -EIO;
+	}
+
 	uint8_t crc_calc = crc8(reinterpret_cast<uint8_t *>(&dev_info_reply.type), dev_info_reply.length - 1);
 	uint8_t crc_recv = reply_raw[dev_info_reply.length];

@ -205,6 +211,10 @@ int BST::probe()
 		return -EIO;
 	}

+	if (dev_info_reply.payload.dev_name_len >= sizeof(dev_info_reply.payload.dev_name)) {
+		dev_info_reply.payload.dev_name_len = sizeof(dev_info_reply.payload.dev_name) - 1;
+	}
+
 	dev_info_reply.payload.dev_name[dev_info_reply.payload.dev_name_len] = '\0';
 	PX4_DEBUG("device info: hardware ID: 0x%08X, firmware ID: 0x%04X, device name: %s",
 		  (int)swap_uint32(dev_info_reply.payload.hw_id), (int)swap_uint16(dev_info_reply.payload.fw_id),