From e8e86a2e0f7412be10605274440511f4a4771f5c Mon Sep 17 00:00:00 2001
From: Ramon Roche <mrpollo@gmail.com>
Date: Thu, 12 Mar 2026 20:41:53 -0700
Subject: [PATCH] fix(telemetry/bst): validate reply length and dev_name_len
 before use

Reject replies with length >= sizeof(BSTPacket) to prevent OOB read
in CRC calculation. Clamp dev_name_len to buffer size to prevent OOB
write during null termination.

Signed-off-by: Ramon Roche <mrpollo@gmail.com>
---
 src/drivers/telemetry/bst/bst.cpp | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/drivers/telemetry/bst/bst.cpp b/src/drivers/telemetry/bst/bst.cpp
index 7d7013651b..fdbf662e6d 100644
--- a/src/drivers/telemetry/bst/bst.cpp
+++ b/src/drivers/telemetry/bst/bst.cpp
@@ -197,6 +197,12 @@ int BST::probe()
 	}
 
 	uint8_t *reply_raw = reinterpret_cast<uint8_t *>(&dev_info_reply);
+
+	if (dev_info_reply.length >= sizeof(dev_info_reply)) {
+		PX4_ERR("invalid reply length: %u", dev_info_reply.length);
+		return -EIO;
+	}
+
 	uint8_t crc_calc = crc8(reinterpret_cast<uint8_t *>(&dev_info_reply.type), dev_info_reply.length - 1);
 	uint8_t crc_recv = reply_raw[dev_info_reply.length];
 
@@ -205,6 +211,10 @@ int BST::probe()
 		return -EIO;
 	}
 
+	if (dev_info_reply.payload.dev_name_len >= sizeof(dev_info_reply.payload.dev_name)) {
+		dev_info_reply.payload.dev_name_len = sizeof(dev_info_reply.payload.dev_name) - 1;
+	}
+
 	dev_info_reply.payload.dev_name[dev_info_reply.payload.dev_name_len] = '\0';
 	PX4_DEBUG("device info: hardware ID: 0x%08X, firmware ID: 0x%04X, device name: %s",
 		  (int)swap_uint32(dev_info_reply.payload.hw_id), (int)swap_uint16(dev_info_reply.payload.fw_id),