Mirror/betaflight
1
0
Fork 0
mirror of https://github.com/betaflight/betaflight.git synced 2025-07-13 19:40:31 +03:00
Code Issues Wiki Activity

Fix buffer overflow in JETIEXBUS character reception (#13130) (#13136)

Browse source 
* Fix buffer overflow in jetiexbus character reception

* Update src/main/rx/jetiexbus.c



---------

Co-authored-by: Steve Evans <SteveCEvans@users.noreply.github.com>
This commit is contained in:
Mark Haslinghuis 2023-10-23 16:57:41 +02:00 committed by GitHub
parent 0d9ab2984d
commit 738127e7e1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

12
src/main/rx/jetiexbus.c
View file

@ -153,6 +153,7 @@ static void jetiExBusDataReceive(uint16_t c, void *data)
static timeUs_t jetiExBusTimeLast = 0; static timeUs_t jetiExBusTimeLast = 0;
static uint8_t *jetiExBusFrame; static uint8_t *jetiExBusFrame;
static uint8_t jetiExBusFrameMaxSize;
const timeUs_t now = microsISR(); const timeUs_t now = microsISR();
// Check if we shall reset frame position due to time // Check if we shall reset frame position due to time
@ -169,11 +170,13 @@ static void jetiExBusDataReceive(uint16_t c, void *data)
case EXBUS_START_CHANNEL_FRAME: case EXBUS_START_CHANNEL_FRAME:
jetiExBusFrameState = EXBUS_STATE_IN_PROGRESS; jetiExBusFrameState = EXBUS_STATE_IN_PROGRESS;
jetiExBusFrame = jetiExBusChannelFrame; jetiExBusFrame = jetiExBusChannelFrame;
jetiExBusFrameMaxSize = EXBUS_MAX_CHANNEL_FRAME_SIZE;
break; break;
case EXBUS_START_REQUEST_FRAME: case EXBUS_START_REQUEST_FRAME:
jetiExBusRequestState = EXBUS_STATE_IN_PROGRESS; jetiExBusRequestState = EXBUS_STATE_IN_PROGRESS;
jetiExBusFrame = jetiExBusRequestFrame; jetiExBusFrame = jetiExBusRequestFrame;
jetiExBusFrameMaxSize = EXBUS_MAX_REQUEST_FRAME_SIZE;
break; break;
default: default:
@ -181,6 +184,15 @@ static void jetiExBusDataReceive(uint16_t c, void *data)
} }
} }
if (jetiExBusFramePosition == jetiExBusFrameMaxSize) {
// frame overrun
jetiExBusFrameReset();
jetiExBusFrameState = EXBUS_STATE_ZERO;
jetiExBusRequestState = EXBUS_STATE_ZERO;
return;
}
// Store in frame copy // Store in frame copy
jetiExBusFrame[jetiExBusFramePosition] = (uint8_t)c; jetiExBusFrame[jetiExBusFramePosition] = (uint8_t)c;
jetiExBusFramePosition++; jetiExBusFramePosition++;