1
0
mirror of https://bitbucket.org/librepilot/librepilot.git synced 2025-02-20 10:54:14 +01:00

UAVTalk: Fixed bug in parser failing to handle length of multi-instanceobjects

UAVTalk (on GCS): Fixed a null pointer dereference when receiving in a NACK
This commit is contained in:
Corvus Corax 2011-10-21 02:04:29 +02:00
parent cb8d9c791c
commit 167010e8a0
4 changed files with 16 additions and 2 deletions

View File

@ -64,6 +64,7 @@ typedef struct {
uint32_t objId;
uint16_t instId;
uint32_t length;
uint8_t instanceLength;
uint8_t cs;
int32_t rxCount;
UAVTalkRxState state;

View File

@ -351,9 +351,15 @@ int32_t UAVTalkProcessInputStream(UAVTalkConnection connectionHandle, uint8_t rx
// Determine data length
if (iproc->type == UAVTALK_TYPE_OBJ_REQ || iproc->type == UAVTALK_TYPE_ACK || iproc->type == UAVTALK_TYPE_NACK)
{
iproc->length = 0;
iproc->instanceLength = 0;
}
else
{
iproc->length = UAVObjGetNumBytes(iproc->obj);
iproc->instanceLength = (UAVObjIsSingleInstance(iproc->obj) ? 0 : 2);
}
// Check length and determine next state
if (iproc->length >= UAVTALK_MAX_PAYLOAD_LENGTH)
@ -364,7 +370,7 @@ int32_t UAVTalkProcessInputStream(UAVTalkConnection connectionHandle, uint8_t rx
}
// Check the lengths match
if ((iproc->rxPacketLength + iproc->length) != iproc->packet_size)
if ((iproc->rxPacketLength + iproc->instanceLength + iproc->length) != iproc->packet_size)
{ // packet error - mismatched packet size
connection->stats.rxErrors++;
iproc->state = UAVTALK_STATE_SYNC;

View File

@ -282,9 +282,15 @@ bool UAVTalk::processInputByte(quint8 rxbyte)
// Determine data length
if (rxType == TYPE_OBJ_REQ || rxType == TYPE_ACK || rxType == TYPE_NACK)
{
rxLength = 0;
rxInstanceLength = 0;
}
else
{
rxLength = rxObj->getNumBytes();
rxInstanceLength = (rxObj->isSingleInstance() ? 0 : 2);
}
// Check length and determine next state
if (rxLength >= MAX_PAYLOAD_LENGTH)
@ -295,7 +301,7 @@ bool UAVTalk::processInputByte(quint8 rxbyte)
}
// Check the lengths match
if ((rxPacketLength + rxLength + (rxObj->isSingleInstance() ? 0 : 2)) != packetSize)
if ((rxPacketLength + rxInstanceLength + rxLength) != packetSize)
{ // packet error - mismatched packet size
stats.rxErrors++;
rxState = STATE_SYNC;

View File

@ -107,6 +107,7 @@ private:
quint16 rxInstId;
quint16 rxLength;
quint16 rxPacketLength;
quint8 rxInstanceLength;
quint8 rxCSPacket, rxCS;
qint32 rxCount;