altos: Bounds check Skytraq GPS tracking data array

Missing GPS serial data could cause the tracking array reset to
get skipped, causing the array to be overrun, smashing critical data
beyond the array.

This was detected using the 'altosui' flash command to program a
device from TM. Hitting the USB that hard caused TM to crash with a
mutex error (3 beeps) after the ao_gps_task structure was overwritten
with zeros.

Signed-off-by: Keith Packard <keithp@keithp.com>

diff --git a/src/ao.h b/src/ao.h
index cd4e4814e07a8a27611f9a56c06db47bcc25941f..5b174947c57ba893a74ae56e43dacffbaf132f92 100644 (file)
--- a/src/ao.h
+++ b/src/ao.h
@@ -781,9 +781,11 @@ struct ao_gps_sat_data {
        uint8_t         c_n_1;
 };
 
        uint8_t         c_n_1;
 };
 

+#define AO_MAX_GPS_TRACKING    12
+

 struct ao_gps_tracking_data {
        uint8_t                 channels;
 struct ao_gps_tracking_data {
        uint8_t                 channels;

-       struct ao_gps_sat_data  sats[12];
+       struct ao_gps_sat_data  sats[AO_MAX_GPS_TRACKING];

 };
 
 extern __xdata uint8_t ao_gps_mutex;
 };
 
 extern __xdata uint8_t ao_gps_mutex;

diff --git a/src/ao_gps_skytraq.c b/src/ao_gps_skytraq.c
index c822f7fab57bf2125922f3fac5263369d74dcaf2..2d3d464c881fa79342cfc1b3b79e5da203ce9386 100644 (file)
--- a/src/ao_gps_skytraq.c
+++ b/src/ao_gps_skytraq.c
@@ -333,14 +333,19 @@ ao_gps(void) __reentrant
                        ao_gps_skip_field();    /* sats in view */
                        while (ao_gps_char != '*' && ao_gps_char != '\n' && ao_gps_char != '\r') {
                                i = ao_gps_tracking_next.channels;
                        ao_gps_skip_field();    /* sats in view */
                        while (ao_gps_char != '*' && ao_gps_char != '\n' && ao_gps_char != '\r') {
                                i = ao_gps_tracking_next.channels;

-                               ao_gps_tracking_next.sats[i].svid = ao_gps_decimal(2);  /* SVID */
+                               c = ao_gps_decimal(2);  /* SVID */
+                               if (i < AO_MAX_GPS_TRACKING)
+                                       ao_gps_tracking_next.sats[i].svid = c;

                                ao_gps_lexchar();
                                ao_gps_skip_field();    /* elevation */
                                ao_gps_lexchar();
                                ao_gps_skip_field();    /* azimuth */
                                ao_gps_lexchar();
                                ao_gps_skip_field();    /* elevation */
                                ao_gps_lexchar();
                                ao_gps_skip_field();    /* azimuth */

-                               if (!(ao_gps_tracking_next.sats[i].c_n_1 = ao_gps_decimal(2)))  /* C/N0 */
-                                       ao_gps_tracking_next.sats[i].svid = 0;
-                               ao_gps_tracking_next.channels = i + 1;
+                               c = ao_gps_decimal(2);  /* C/N0 */
+                               if (i < AO_MAX_GPS_TRACKING) {
+                                       if (!(ao_gps_tracking_next.sats[i].c_n_1 = c))
+                                               ao_gps_tracking_next.sats[i].svid = 0;
+                                       ao_gps_tracking_next.channels = i + 1;
+                               }

                        }
                        if (ao_gps_char == '*') {
                                uint8_t cksum = ao_gps_cksum ^ '*';
                        }
                        if (ao_gps_char == '*') {
                                uint8_t cksum = ao_gps_cksum ^ '*';

diff --git a/src/ao_gps_test.c b/src/ao_gps_test.c
index cdcc6f4c375ce0fbb14eb454f2c2f235810ae3bb..edb513047fda7aea4eeb8db808b4eb03df9ee473 100644 (file)
--- a/src/ao_gps_test.c
+++ b/src/ao_gps_test.c
@@ -62,9 +62,11 @@ struct ao_gps_sat_data {
        uint8_t         c_n_1;
 };
 
        uint8_t         c_n_1;
 };
 

+#define AO_MAX_GPS_TRACKING    12
+

 struct ao_gps_tracking_data {
        uint8_t                 channels;
 struct ao_gps_tracking_data {
        uint8_t                 channels;

-       struct ao_gps_sat_data  sats[12];
+       struct ao_gps_sat_data  sats[AO_MAX_GPS_TRACKING];

 };
 
 void
 };
 
 void

diff --git a/src/ao_gps_test_skytraq.c b/src/ao_gps_test_skytraq.c
index 7fa10eaaf7bb1818f2e0b1dbed5f1e5097620b6b..4010e09c9e8816db490feab7ab0c6f887ed793b1 100644 (file)
--- a/src/ao_gps_test_skytraq.c
+++ b/src/ao_gps_test_skytraq.c
@@ -63,9 +63,11 @@ struct ao_gps_sat_data {
        uint8_t         c_n_1;
 };
 
        uint8_t         c_n_1;
 };
 

+#define AO_MAX_GPS_TRACKING    12
+

 struct ao_gps_tracking_data {
        uint8_t                 channels;
 struct ao_gps_tracking_data {
        uint8_t                 channels;

-       struct ao_gps_sat_data  sats[12];
+       struct ao_gps_sat_data  sats[AO_MAX_GPS_TRACKING];

 };
 
 void
 };
 
 void