From 1177e0a684328422be5adc68093d0091a218a824 Mon Sep 17 00:00:00 2001 From: Keith Packard Date: Wed, 1 Sep 2010 19:53:24 -0700 Subject: [PATCH] altos: Bounds check Skytraq GPS tracking data array Missing GPS serial data could cause the tracking array reset to get skipped, causing the array to be overrun, smashing critical data beyond the array. This was detected using the 'altosui' flash command to program a device from TM. Hitting the USB that hard caused TM to crash with a mutex error (3 beeps) after the ao_gps_task structure was overwritten with zeros. Signed-off-by: Keith Packard --- src/ao.h | 4 +++- src/ao_gps_skytraq.c | 13 +++++++++---- src/ao_gps_test.c | 4 +++- src/ao_gps_test_skytraq.c | 4 +++- 4 files changed, 18 insertions(+), 7 deletions(-) diff --git a/src/ao.h b/src/ao.h index cd4e4814..5b174947 100644 --- a/src/ao.h +++ b/src/ao.h @@ -781,9 +781,11 @@ struct ao_gps_sat_data { uint8_t c_n_1; }; +#define AO_MAX_GPS_TRACKING 12 + struct ao_gps_tracking_data { uint8_t channels; - struct ao_gps_sat_data sats[12]; + struct ao_gps_sat_data sats[AO_MAX_GPS_TRACKING]; }; extern __xdata uint8_t ao_gps_mutex; diff --git a/src/ao_gps_skytraq.c b/src/ao_gps_skytraq.c index c822f7fa..2d3d464c 100644 --- a/src/ao_gps_skytraq.c +++ b/src/ao_gps_skytraq.c @@ -333,14 +333,19 @@ ao_gps(void) __reentrant ao_gps_skip_field(); /* sats in view */ while (ao_gps_char != '*' && ao_gps_char != '\n' && ao_gps_char != '\r') { i = ao_gps_tracking_next.channels; - ao_gps_tracking_next.sats[i].svid = ao_gps_decimal(2); /* SVID */ + c = ao_gps_decimal(2); /* SVID */ + if (i < AO_MAX_GPS_TRACKING) + ao_gps_tracking_next.sats[i].svid = c; ao_gps_lexchar(); ao_gps_skip_field(); /* elevation */ ao_gps_lexchar(); ao_gps_skip_field(); /* azimuth */ - if (!(ao_gps_tracking_next.sats[i].c_n_1 = ao_gps_decimal(2))) /* C/N0 */ - ao_gps_tracking_next.sats[i].svid = 0; - ao_gps_tracking_next.channels = i + 1; + c = ao_gps_decimal(2); /* C/N0 */ + if (i < AO_MAX_GPS_TRACKING) { + if (!(ao_gps_tracking_next.sats[i].c_n_1 = c)) + ao_gps_tracking_next.sats[i].svid = 0; + ao_gps_tracking_next.channels = i + 1; + } } if (ao_gps_char == '*') { uint8_t cksum = ao_gps_cksum ^ '*'; diff --git a/src/ao_gps_test.c b/src/ao_gps_test.c index cdcc6f4c..edb51304 100644 --- a/src/ao_gps_test.c +++ b/src/ao_gps_test.c @@ -62,9 +62,11 @@ struct ao_gps_sat_data { uint8_t c_n_1; }; +#define AO_MAX_GPS_TRACKING 12 + struct ao_gps_tracking_data { uint8_t channels; - struct ao_gps_sat_data sats[12]; + struct ao_gps_sat_data sats[AO_MAX_GPS_TRACKING]; }; void diff --git a/src/ao_gps_test_skytraq.c b/src/ao_gps_test_skytraq.c index 7fa10eaa..4010e09c 100644 --- a/src/ao_gps_test_skytraq.c +++ b/src/ao_gps_test_skytraq.c @@ -63,9 +63,11 @@ struct ao_gps_sat_data { uint8_t c_n_1; }; +#define AO_MAX_GPS_TRACKING 12 + struct ao_gps_tracking_data { uint8_t channels; - struct ao_gps_sat_data sats[12]; + struct ao_gps_sat_data sats[AO_MAX_GPS_TRACKING]; }; void -- 2.30.2