Mirror/ardupilot
5
0
Fork 0
mirror of https://github.com/ArduPilot/ardupilot synced 2025-01-08 17:08:28 -04:00
Code Issues Packages Projects Releases Wiki Activity

AP_RCProtocol: fixed a overflow in SRXL decoder

Browse Source 
thanks to coverity 343308 and Peter for noticing
This commit is contained in:
Andrew Tridgell 2019-07-05 15:12:15 +10:00
parent 626c632859
commit 0f4c54aaa6
2 changed files with 24 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
libraries/AP_RCProtocol/AP_RCProtocol.h
View File

@ -18,7 +18,7 @@
#include <AP_HAL/AP_HAL.h> #include <AP_HAL/AP_HAL.h>
#include <AP_Common/AP_Common.h> #include <AP_Common/AP_Common.h>
#define MAX_RCIN_CHANNELS 32 #define MAX_RCIN_CHANNELS 18
#define MIN_RCIN_CHANNELS 5 #define MIN_RCIN_CHANNELS 5
class AP_RCProtocol_Backend; class AP_RCProtocol_Backend;

44
libraries/AP_RCProtocol/AP_RCProtocol_SRXL.cpp
View File

@ -22,6 +22,7 @@
#include "AP_RCProtocol_SRXL.h" #include "AP_RCProtocol_SRXL.h"
#include <AP_Math/crc.h> #include <AP_Math/crc.h>
#include <AP_Math/AP_Math.h>
// #define SUMD_DEBUG // #define SUMD_DEBUG
extern const AP_HAL::HAL& hal; extern const AP_HAL::HAL& hal;
@ -232,28 +233,29 @@ void AP_RCProtocol_SRXL::_process_byte(uint32_t timestamp_us, uint8_t byte)
/* CRC check here */ /* CRC check here */
crc_receiver = ((uint16_t)buffer[buflen-2] << 8U) | ((uint16_t)buffer[buflen-1]); crc_receiver = ((uint16_t)buffer[buflen-2] << 8U) | ((uint16_t)buffer[buflen-1]);
if (crc_receiver == crc_fmu) { if (crc_receiver == crc_fmu) {
/* at this point buffer contains all frame data and crc is valid --> extract channel info according to SRXL variant */ /* at this point buffer contains all frame data and crc is valid --> extract channel info according to SRXL variant */
uint16_t values[SRXL_MAX_CHANNELS]; const uint8_t max_values = MIN((unsigned)SRXL_MAX_CHANNELS,(unsigned)MAX_RCIN_CHANNELS);
uint8_t num_values; uint16_t values[max_values];
bool failsafe_state; uint8_t num_values;
switch (frame_header) { bool failsafe_state;
case SRXL_HEADER_V1: switch (frame_header) {
srxl_channels_get_v1v2(MAX_RCIN_CHANNELS, &num_values, values, &failsafe_state); case SRXL_HEADER_V1:
add_input(num_values, values, failsafe_state); srxl_channels_get_v1v2(max_values, &num_values, values, &failsafe_state);
break; add_input(num_values, values, failsafe_state);
case SRXL_HEADER_V2: break;
srxl_channels_get_v1v2(MAX_RCIN_CHANNELS, &num_values, values, &failsafe_state); case SRXL_HEADER_V2:
add_input(num_values, values, failsafe_state); srxl_channels_get_v1v2(max_values, &num_values, values, &failsafe_state);
break; add_input(num_values, values, failsafe_state);
case SRXL_HEADER_V5: break;
srxl_channels_get_v5(MAX_RCIN_CHANNELS, &num_values, values, &failsafe_state); case SRXL_HEADER_V5:
add_input(num_values, values, failsafe_state); srxl_channels_get_v5(max_values, &num_values, values, &failsafe_state);
break; add_input(num_values, values, failsafe_state);
default: break;
break; default:
} break;
}
} }
decode_state_next = STATE_IDLE; /* frame data buffering and decoding finished --> statemachine not in use until new header drops is */ decode_state_next = STATE_IDLE; /* frame data buffering and decoding finished --> statemachine not in use until new header drops is */
} else { } else {
/* frame not completely received --> frame data buffering still ongoing */ /* frame not completely received --> frame data buffering still ongoing */
decode_state_next = STATE_COLLECT; decode_state_next = STATE_COLLECT;