Skip to content

fix buffer overflow from deprecated MSP2_INAV_LOGIC_CONDITIONS #11099

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
stronnag merged 1 commit into from
Nov 3, 2025
Merged

fix buffer overflow from deprecated MSP2_INAV_LOGIC_CONDITIONS #11099

stronnag merged 1 commit into from
Nov 3, 2025

Conversation

@stronnag
Copy link
Collaborator

@stronnag stronnag commented Nov 2, 2025
edited by qodo-code-review bot
Loading

User description

The deprecated MSP2_INAV_LOGIC_CONDITIONS generates a MSP output buffer of 896 bytes, which crashes the SITL and may result in undefined behaviour in the FC.

As there is a usable and safe replacement API, MSP2_INAV_LOGIC_CONDITIONS_SINGLE, this PR neuters MSP2_INAV_LOGIC_CONDITIONS by returning an "invalid" response.

In a future version, we should just remove MSP2_INAV_LOGIC_CONDITIONS completely (which would have the same effect).

PR Type

Bug fix

Description

  • Prevents buffer overflow from deprecated MSP2_INAV_LOGIC_CONDITIONS command

  • Returns invalid response instead of writing 896 bytes to buffer

  • Directs users to use MSP2_INAV_LOGIC_CONDITIONS_SINGLE alternative

Diagram Walkthrough

flowchart LR
  A["MSP2_INAV_LOGIC_CONDITIONS<br/>request"] -->|"Previously: write<br/>14*64 bytes"| B["Buffer overflow<br/>crash"]
  A -->|"Now: return false"| C["Invalid response<br/>safe"]
  D["MSP2_INAV_LOGIC_CONDITIONS_SINGLE"] -->|"Recommended<br/>alternative"| C
Loading

File Walkthrough
Relevant files
Bug fix
fc_msp.c
Disable deprecated MSP2_INAV_LOGIC_CONDITIONS command       

src/main/fc/fc_msp.c

  • Removed loop that wrote 14 logic condition entries (896 bytes total)
    to output buffer
  • Replaced with single return false statement to indicate
    invalid/deprecated command
  • Prevents buffer overflow that caused SITL crashes and undefined
    behavior
  • Directs users to use MSP2_INAV_LOGIC_CONDITIONS_SINGLE API instead
 +1/-11   

@qodo-code-review
Copy link
Contributor

qodo-code-review bot commented Nov 2, 2025
edited
Loading

PR Compliance Guide 🔍

(Compliance updated until commit 1bd1a20)

All compliance sections have been disabled in the configurations.

Previous compliance checks

Compliance check up to commit 1bd1a20

@qodo-code-review
Copy link
Contributor

qodo-code-review bot commented Nov 2, 2025

PR Code Suggestions ✨

No code suggestions found for the PR.

@stronnag stronnag changed the title fix buffer overflow from decrepated MSP2_INAV_LOGIC_CONDITIONS fix buffer overflow from deprecated MSP2_INAV_LOGIC_CONDITIONS Nov 2, 2025
@stronnag stronnag added this to the 9.0 milestone Nov 2, 2025
@stronnag stronnag added the Bugfix label Nov 2, 2025
@stronnag
Copy link
Collaborator Author

stronnag commented Nov 2, 2025

Previously, a single call to MSP2_INAV_LOGIC_CONDITIONS would crash the SITL.
With this fix (returning no data), the test program is content (debug line count increments).

image

@stronnag
Copy link
Collaborator Author

stronnag commented Nov 2, 2025

And, FYI, the Configurator knows about the deprecation and uses the safe API:

grep -r MSPCodes.MSP2_INAV_LOGIC_CONDITIONS_SINGLE js
js/msp/MSPHelper.js:            case MSPCodes.MSP2_INAV_LOGIC_CONDITIONS_SINGLE:
js/msp/MSPHelper.js:            MSP.send_message(MSPCodes.MSP2_INAV_LOGIC_CONDITIONS_SINGLE, [idx], false, nextLogicCondition);
js/msp/MSPHelper.js:                    MSP.send_message(MSPCodes.MSP2_INAV_LOGIC_CONDITIONS_SINGLE, [idx], false, nextLogicCondition);
js/msp/MSPHelper.js:                    MSP.send_message(MSPCodes.MSP2_INAV_LOGIC_CONDITIONS_SINGLE, [idx], false, callback);

@stronnag stronnag merged commit 23f264c into master Nov 3, 2025
21 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Bugfix Possible security concern Review effort 1/5

Projects

None yet

Milestone

9.0

Development

Successfully merging this pull request may close these issues.

2 participants

@stronnag