mirror of
https://gitee.com/mirrors_PX4/PX4-Autopilot.git
synced 2026-04-14 10:07:39 +08:00
05cc1687a5
When a CRSF frame arrives with packet_size < 2 (PACKET_SIZE_TYPE_SIZE), the subtraction `packet_size - PACKET_SIZE_TYPE_SIZE` underflows the uint32_t working_segment_size to 0xFFFFFFFF. The subsequent overflow check also wraps and fails to catch it. Since working_segment_size is static, the parser is permanently stalled — no further CRSF messages can be processed until reboot. Validate packet_size >= PACKET_SIZE_TYPE_SIZE early, before any subtraction, protecting both the known variable-length and unknown packet branches in a single check. Supersedes #26782 which only guarded the unknown-packet branch.