fix(telemetry/bst): validate reply length and dev_name_len before use

Reject replies with length >= sizeof(BSTPacket) to prevent OOB read
in CRC calculation. Clamp dev_name_len to buffer size to prevent OOB
write during null termination.

Signed-off-by: Ramon Roche <mrpollo@gmail.com>

src/drivers/telemetry/bst/bst.cpp

@@ -197,6 +197,12 @@ int BST::probe()
 	}
 
 	uint8_t *reply_raw = reinterpret_cast<uint8_t *>(&dev_info_reply);
+
+	if (dev_info_reply.length >= sizeof(dev_info_reply)) {
+		PX4_ERR("invalid reply length: %u", dev_info_reply.length);
+		return -EIO;
+	}
+
 	uint8_t crc_calc = crc8(reinterpret_cast<uint8_t *>(&dev_info_reply.type), dev_info_reply.length - 1);
 	uint8_t crc_recv = reply_raw[dev_info_reply.length];
 
@@ -205,6 +211,10 @@ int BST::probe()
 		return -EIO;
 	}
 
+	if (dev_info_reply.payload.dev_name_len >= sizeof(dev_info_reply.payload.dev_name)) {
+		dev_info_reply.payload.dev_name_len = sizeof(dev_info_reply.payload.dev_name) - 1;
+	}
+
 	dev_info_reply.payload.dev_name[dev_info_reply.payload.dev_name_len] = '\0';
 	PX4_DEBUG("device info: hardware ID: 0x%08X, firmware ID: 0x%04X, device name: %s",
 		  (int)swap_uint32(dev_info_reply.payload.hw_id), (int)swap_uint16(dev_info_reply.payload.fw_id),