From 770f8080c0bc7569d6bc0a20e03294962a013af4 Mon Sep 17 00:00:00 2001
From: chris1seto <chris12892@gmail.com>
Date: Sat, 24 Sep 2022 13:36:17 -0700
Subject: [PATCH] CRSF: Validate unknown packet sizes to be smaller than max
 packet size

Co-authored-by: Chris Seto <chris1seto@gmail.com>
---
 src/drivers/rc/crsf_rc/CrsfParser.cpp | 9 +++++++++
 src/drivers/rc/crsf_rc/CrsfParser.hpp | 1 +
 src/drivers/rc/crsf_rc/CrsfRc.cpp     | 1 +
 3 files changed, 11 insertions(+)

diff --git a/src/drivers/rc/crsf_rc/CrsfParser.cpp b/src/drivers/rc/crsf_rc/CrsfParser.cpp
index db086d6d9c..ba0ddac233 100644
--- a/src/drivers/rc/crsf_rc/CrsfParser.cpp
+++ b/src/drivers/rc/crsf_rc/CrsfParser.cpp
@@ -294,6 +294,15 @@ bool CrsfParser_TryParseCrsfPacket(CrsfPacket_t *const new_packet, CrsfParserSta
 				// We don't know what this packet is, so we'll let the parser continue
 				// just so that we can dequeue it in one shot
 				working_segment_size = packet_size + PACKET_SIZE_TYPE_SIZE;
+
+				if (working_segment_size > CRSF_MAX_PACKET_LEN) {
+					parser_statistics->invalid_unknown_packet_sizes++;
+					parser_state = PARSER_STATE_HEADER;
+					working_segment_size = HEADER_SIZE;
+					working_index = 0;
+					buffer_count = QueueBuffer_Count(&rx_queue);
+					continue;
+				}
 			}
 
 			parser_state = PARSER_STATE_PAYLOAD;
diff --git a/src/drivers/rc/crsf_rc/CrsfParser.hpp b/src/drivers/rc/crsf_rc/CrsfParser.hpp
index 7b36876b40..c0bf0e8494 100644
--- a/src/drivers/rc/crsf_rc/CrsfParser.hpp
+++ b/src/drivers/rc/crsf_rc/CrsfParser.hpp
@@ -69,6 +69,7 @@ struct CrsfParserStatistics_t {
 	uint32_t crcs_valid_unknown_packets;
 	uint32_t crcs_invalid;
 	uint32_t invalid_known_packet_sizes;
+	uint32_t invalid_unknown_packet_sizes;
 };
 
 enum CRSF_MESSAGE_TYPE {
diff --git a/src/drivers/rc/crsf_rc/CrsfRc.cpp b/src/drivers/rc/crsf_rc/CrsfRc.cpp
index f5489b35db..77584f5fc0 100644
--- a/src/drivers/rc/crsf_rc/CrsfRc.cpp
+++ b/src/drivers/rc/crsf_rc/CrsfRc.cpp
@@ -504,6 +504,7 @@ int CrsfRc::print_status()
 	PX4_INFO("Valid unknown packet CRCs: %li",  _packet_parser_statistics.crcs_valid_unknown_packets);
 	PX4_INFO("Invalid CRCs: %li",  _packet_parser_statistics.crcs_invalid);
 	PX4_INFO("Invalid known packet sizes: %li",  _packet_parser_statistics.invalid_known_packet_sizes);
+	PX4_INFO("Invalid unknown packet sizes: %li",  _packet_parser_statistics.invalid_unknown_packet_sizes);
 
 	return 0;
 }