From 738127e7e11da587f63b9531ec732a37bdb436b0 Mon Sep 17 00:00:00 2001
From: Mark Haslinghuis <mark@numloq.nl>
Date: Mon, 23 Oct 2023 16:57:41 +0200
Subject: [PATCH] Fix buffer overflow in JETIEXBUS character reception (#13130)
 (#13136)

* Fix buffer overflow in jetiexbus character reception

* Update src/main/rx/jetiexbus.c



---------

Co-authored-by: Steve Evans <SteveCEvans@users.noreply.github.com>
---
 src/main/rx/jetiexbus.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/src/main/rx/jetiexbus.c b/src/main/rx/jetiexbus.c
index 0d0e7a90004..d0682cece4d 100644
--- a/src/main/rx/jetiexbus.c
+++ b/src/main/rx/jetiexbus.c
@@ -153,6 +153,7 @@ static void jetiExBusDataReceive(uint16_t c, void *data)
 
     static timeUs_t jetiExBusTimeLast = 0;
     static uint8_t *jetiExBusFrame;
+    static uint8_t jetiExBusFrameMaxSize;
     const timeUs_t now = microsISR();
 
     // Check if we shall reset frame position due to time
@@ -169,11 +170,13 @@ static void jetiExBusDataReceive(uint16_t c, void *data)
         case EXBUS_START_CHANNEL_FRAME:
             jetiExBusFrameState = EXBUS_STATE_IN_PROGRESS;
             jetiExBusFrame = jetiExBusChannelFrame;
+            jetiExBusFrameMaxSize = EXBUS_MAX_CHANNEL_FRAME_SIZE;
             break;
 
         case EXBUS_START_REQUEST_FRAME:
             jetiExBusRequestState = EXBUS_STATE_IN_PROGRESS;
             jetiExBusFrame = jetiExBusRequestFrame;
+            jetiExBusFrameMaxSize = EXBUS_MAX_REQUEST_FRAME_SIZE;
             break;
 
         default:
@@ -181,6 +184,15 @@ static void jetiExBusDataReceive(uint16_t c, void *data)
         }
     }
 
+    if (jetiExBusFramePosition == jetiExBusFrameMaxSize) {
+        // frame overrun
+        jetiExBusFrameReset();
+        jetiExBusFrameState = EXBUS_STATE_ZERO;
+        jetiExBusRequestState = EXBUS_STATE_ZERO;
+
+        return;
+    }
+
     // Store in frame copy
     jetiExBusFrame[jetiExBusFramePosition] = (uint8_t)c;
     jetiExBusFramePosition++;