From 0f4c54aaa651c3f4d603007ebed26ef20057a0d4 Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Fri, 5 Jul 2019 15:12:15 +1000 Subject: [PATCH] AP_RCProtocol: fixed a overflow in SRXL decoder thanks to coverity 343308 and Peter for noticing --- libraries/AP_RCProtocol/AP_RCProtocol.h | 2 +- .../AP_RCProtocol/AP_RCProtocol_SRXL.cpp | 44 ++++++++++--------- 2 files changed, 24 insertions(+), 22 deletions(-) diff --git a/libraries/AP_RCProtocol/AP_RCProtocol.h b/libraries/AP_RCProtocol/AP_RCProtocol.h index 2cc8ee8fbb..e28c02d2e7 100644 --- a/libraries/AP_RCProtocol/AP_RCProtocol.h +++ b/libraries/AP_RCProtocol/AP_RCProtocol.h @@ -18,7 +18,7 @@ #include #include -#define MAX_RCIN_CHANNELS 32 +#define MAX_RCIN_CHANNELS 18 #define MIN_RCIN_CHANNELS 5 class AP_RCProtocol_Backend; diff --git a/libraries/AP_RCProtocol/AP_RCProtocol_SRXL.cpp b/libraries/AP_RCProtocol/AP_RCProtocol_SRXL.cpp index d0c0f3b54c..a48e55ec68 100644 --- a/libraries/AP_RCProtocol/AP_RCProtocol_SRXL.cpp +++ b/libraries/AP_RCProtocol/AP_RCProtocol_SRXL.cpp @@ -22,6 +22,7 @@ #include "AP_RCProtocol_SRXL.h" #include +#include // #define SUMD_DEBUG extern const AP_HAL::HAL& hal; @@ -232,28 +233,29 @@ void AP_RCProtocol_SRXL::_process_byte(uint32_t timestamp_us, uint8_t byte) /* CRC check here */ crc_receiver = ((uint16_t)buffer[buflen-2] << 8U) | ((uint16_t)buffer[buflen-1]); if (crc_receiver == crc_fmu) { - /* at this point buffer contains all frame data and crc is valid --> extract channel info according to SRXL variant */ - uint16_t values[SRXL_MAX_CHANNELS]; - uint8_t num_values; - bool failsafe_state; - switch (frame_header) { - case SRXL_HEADER_V1: - srxl_channels_get_v1v2(MAX_RCIN_CHANNELS, &num_values, values, &failsafe_state); - add_input(num_values, values, failsafe_state); - break; - case SRXL_HEADER_V2: - srxl_channels_get_v1v2(MAX_RCIN_CHANNELS, &num_values, values, &failsafe_state); - add_input(num_values, values, failsafe_state); - break; - case SRXL_HEADER_V5: - srxl_channels_get_v5(MAX_RCIN_CHANNELS, &num_values, values, &failsafe_state); - add_input(num_values, values, failsafe_state); - break; - default: - break; - } + /* at this point buffer contains all frame data and crc is valid --> extract channel info according to SRXL variant */ + const uint8_t max_values = MIN((unsigned)SRXL_MAX_CHANNELS,(unsigned)MAX_RCIN_CHANNELS); + uint16_t values[max_values]; + uint8_t num_values; + bool failsafe_state; + switch (frame_header) { + case SRXL_HEADER_V1: + srxl_channels_get_v1v2(max_values, &num_values, values, &failsafe_state); + add_input(num_values, values, failsafe_state); + break; + case SRXL_HEADER_V2: + srxl_channels_get_v1v2(max_values, &num_values, values, &failsafe_state); + add_input(num_values, values, failsafe_state); + break; + case SRXL_HEADER_V5: + srxl_channels_get_v5(max_values, &num_values, values, &failsafe_state); + add_input(num_values, values, failsafe_state); + break; + default: + break; + } } - decode_state_next = STATE_IDLE; /* frame data buffering and decoding finished --> statemachine not in use until new header drops is */ + decode_state_next = STATE_IDLE; /* frame data buffering and decoding finished --> statemachine not in use until new header drops is */ } else { /* frame not completely received --> frame data buffering still ongoing */ decode_state_next = STATE_COLLECT;