Merge pull request iNavFlight#11210 from VoodooChild99/fix-crsf-parsing

sensei-hacker · web-flow · commit 0997f7c73a9f · 2026-02-01T09:19:46.000-06:00
Verify frame length when handling CRSF_FRAMETYPE_MSP_REQ/CRSF_FRAMETYPE_MSP_WRITE
diff --git a/src/main/rx/crsf.c b/src/main/rx/crsf.c
@@ -178,9 +178,13 @@ STATIC_UNIT_TESTED void crsfDataReceive(uint16_t c, void *rxCallbackData)
 #if defined(USE_MSP_OVER_TELEMETRY)
                         case CRSF_FRAMETYPE_MSP_REQ:
                         case CRSF_FRAMETYPE_MSP_WRITE: {
-                            uint8_t *frameStart = (uint8_t *)&crsfFrame.frame.payload + CRSF_FRAME_ORIGIN_DEST_SIZE;
-                            if (bufferCrsfMspFrame(frameStart, crsfFrame.frame.frameLength - 4)) {
-                                crsfScheduleMspResponse(crsfFrame.frame.payload[1]);
+                            if (crsfFrame.frame.frameLength >= 4) {
+                                uint8_t *frameStart = (uint8_t *)&crsfFrame.frame.payload + CRSF_FRAME_ORIGIN_DEST_SIZE;
+                                if (bufferCrsfMspFrame(frameStart, crsfFrame.frame.frameLength - 4)) {
+                                    crsfScheduleMspResponse(crsfFrame.frame.payload[1]);
+                                }
+                            } else {
+                                crsfFrameDone = false;
                             }
                             break;
                         }
