AP_Bootloader: added more protection against line noisy triggering bootloader

this is in reponse to a report from Ryan of the Hybrid project who
found that mavlink on telem1 could make bootloader get stuck

Tools/AP_Bootloader/bl_protocol.cpp

@@ -442,7 +442,9 @@ bootloader(unsigned timeout)
     uint32_t	first_words[RESERVE_LEAD_WORDS];
     bool done_sync = false;
     bool done_get_device = false;
+    bool done_erase = false;
     static bool done_timer_init;
+    unsigned original_timeout = timeout;
 
     memset(first_words, 0xFF, sizeof(first_words));
 
@@ -582,6 +584,11 @@ bootloader(unsigned timeout)
                 goto cmd_bad;
             }
 
+            // once erase is done there is no going back, set timeout
+            // to zero
+            done_erase = true;
+            timeout = 0;
+            
             flash_set_keep_unlocked(true);
 
             // clear the bootloader LED while erasing - it stops blinking at random
@@ -891,6 +898,10 @@ bootloader(unsigned timeout)
             break;
 
 		case PROTO_SET_BAUD: {
+            if (!done_sync || !done_get_device) {
+                // prevent timeout going to zero on noise
+                goto cmd_bad;
+            }
             /* expect arg then EOC */
             uint32_t baud = 0;
 
@@ -937,6 +948,12 @@ bootloader(unsigned timeout)
         sync_response();
         continue;
 cmd_bad:
+        // if we get a bad command it could be line noise on a
+        // uart. Set timeout back to original timeout so we don't get
+        // stuck in the bootloader
+        if (!done_erase) {
+            timeout = original_timeout;
+        }
         // send an 'invalid' response but don't kill the timeout - could be garbage
         invalid_response();
         continue;