When a CRSF frame arrives with packet_size < 2 (PACKET_SIZE_TYPE_SIZE),
the subtraction `packet_size - PACKET_SIZE_TYPE_SIZE` underflows the
uint32_t working_segment_size to 0xFFFFFFFF. The subsequent overflow
check also wraps and fails to catch it. Since working_segment_size is
static, the parser is permanently stalled — no further CRSF messages
can be processed until reboot.
Validate packet_size >= PACKET_SIZE_TYPE_SIZE early, before any
subtraction, protecting both the known variable-length and unknown
packet branches in a single check.
Supersedes #26782 which only guarded the unknown-packet branch.
Variable-length known packet types (CRSF_PACKET_TYPE_ELRS_STATUS,
CRSF_PACKET_TYPE_LINK_STATISTICS_TX, CRSF_PACKET_TYPE_MSP_WRITE)
bypassed the bounds check that exists for unknown packets. A crafted
packet with a large size field could overflow the 64-byte process_buffer
during QueueBuffer_PeekBuffer() in the CRC state.
Apply the same CRSF_MAX_PACKET_LEN bounds check to variable-length
known packets that already exists for unknown packets.
Fixes GHSA-mqgj-hh4g-fg5p
Signed-off-by: Ramon Roche <mrpollo@gmail.com>
-add new NAVIGATION_STATE_ALTITUDE_VOYAGER
-this mode does require manual control to enter
-but you can disable the manual control loss failsafe to continue
flying in case of manual control loss
-for MC: in throttle and yaw are controlled like in Altitude mode,
the tilt is controlled via integrated rate input (similar to Acro,
but with tilt limit)
Signed-off-by: Silvan Fuhrer <silvan@auterion.com>
The length check for unknown packets did not include PACKET_SIZE_TYPE_SIZE
and CRC_SIZE, and hence working_index could overflow CRSF_MAX_PACKET_LEN,
triggering invalid memory access further down in QueueBuffer_PeekBuffer.
Also the working_segment_size was wrong for unknown packets.
Credits for finding this go to @Pwn9uin.
Jacob Dahl