UAVTalk: Fixed bug in parser failing to handle length of multi-instanceobjects

UAVTalk (on GCS): Fixed a null pointer dereference when receiving in a NACK
2025-02-20 10:54:14 +01:00 · 2011-10-21 02:04:29 +02:00 · 2011-10-21 02:04:29 +02:00 · 167010e8a0
commit 167010e8a0
parent cb8d9c791c
4 changed files with 16 additions and 2 deletions
--- a/flight/UAVTalk/inc/uavtalk_priv.h
+++ b/flight/UAVTalk/inc/uavtalk_priv.h
@ -64,6 +64,7 @@ typedef struct {
    uint32_t objId;
    uint16_t instId;
    uint32_t length;
+    uint8_t instanceLength;
    uint8_t cs;
    int32_t rxCount;
    UAVTalkRxState state;
--- a/flight/UAVTalk/uavtalk.c
+++ b/flight/UAVTalk/uavtalk.c
@ -351,9 +351,15 @@ int32_t UAVTalkProcessInputStream(UAVTalkConnection connectionHandle, uint8_t rx
 			
 			// Determine data length
 			if (iproc->type == UAVTALK_TYPE_OBJ_REQ || iproc->type == UAVTALK_TYPE_ACK || iproc->type == UAVTALK_TYPE_NACK)
+			{
 				iproc->length = 0;
+				iproc->instanceLength = 0;
+			}
 			else
+			{
 				iproc->length = UAVObjGetNumBytes(iproc->obj);
+				iproc->instanceLength = (UAVObjIsSingleInstance(iproc->obj) ? 0 : 2);
+			}
 			
 			// Check length and determine next state
 			if (iproc->length >= UAVTALK_MAX_PAYLOAD_LENGTH)
@ -364,7 +370,7 @@ int32_t UAVTalkProcessInputStream(UAVTalkConnection connectionHandle, uint8_t rx
 			}
 			
 			// Check the lengths match
-			if ((iproc->rxPacketLength + iproc->length) != iproc->packet_size)
+			if ((iproc->rxPacketLength + iproc->instanceLength + iproc->length) != iproc->packet_size)
 			{   // packet error - mismatched packet size
 				connection->stats.rxErrors++;
 				iproc->state = UAVTALK_STATE_SYNC;
--- a/ground/openpilotgcs/src/plugins/uavtalk/uavtalk.cpp
+++ b/ground/openpilotgcs/src/plugins/uavtalk/uavtalk.cpp
@ -282,9 +282,15 @@ bool UAVTalk::processInputByte(quint8 rxbyte)

                // Determine data length
                if (rxType == TYPE_OBJ_REQ || rxType == TYPE_ACK || rxType == TYPE_NACK)
+                {
                    rxLength = 0;
+                    rxInstanceLength = 0;
+                }
                else
+                {
                    rxLength = rxObj->getNumBytes();
+                    rxInstanceLength = (rxObj->isSingleInstance() ? 0 : 2);
+                }

                // Check length and determine next state
                if (rxLength >= MAX_PAYLOAD_LENGTH)
@ -295,7 +301,7 @@ bool UAVTalk::processInputByte(quint8 rxbyte)
                }

                // Check the lengths match
-                if ((rxPacketLength + rxLength + (rxObj->isSingleInstance() ? 0 : 2)) != packetSize)
+                if ((rxPacketLength + rxInstanceLength + rxLength) != packetSize)
                {   // packet error - mismatched packet size
                    stats.rxErrors++;
                    rxState = STATE_SYNC;
--- a/ground/openpilotgcs/src/plugins/uavtalk/uavtalk.h
+++ b/ground/openpilotgcs/src/plugins/uavtalk/uavtalk.h
@ -107,6 +107,7 @@ private:
    quint16 rxInstId;
    quint16 rxLength;
    quint16 rxPacketLength;
+    quint8 rxInstanceLength;

    quint8 rxCSPacket, rxCS;
    qint32 rxCount;