Verify frame length when handling CRSF_FRAMETYPE_MSP_REQ/CRSF_FRAMETYPE_MSP_WRITE

[VoodooChild99]

This PR addresses #11209

[github-actions]

Branch Targeting Suggestion

You've targeted the master branch with this PR. Please consider if a version branch might be more appropriate:

• maintenance-9.x - If your change is backward-compatible and won't create compatibility issues between INAV firmware and Configurator 9.x versions. This will allow your PR to be included in the next 9.x release.

• maintenance-10.x - If your change introduces compatibility requirements between firmware and configurator that would break 9.x compatibility. This is for PRs which will be included in INAV 10.x

If master is the correct target for this change, no action is needed.

---

This is an automated suggestion to help route contributions to the appropriate branch.

[Copilot]

Pull request overview

This PR adds frame length validation for CRSF MSP frame types to prevent potential underflow issues when processing frames. It addresses issue #11209 by ensuring that MSP request and write frames have the minimum required length before processing.

Changes:

• Added validation to check that frameLength >= 4 before processing CRSF_FRAMETYPE_MSP_REQ and CRSF_FRAMETYPE_MSP_WRITE frames
• Added error handling to discard frames that fail validation by setting crsfFrameDone = false

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The magic number 4 should be replaced with the named constant CRSF_FRAME_LENGTH_EXT_TYPE_CRC for better code maintainability and clarity. This constant represents the overhead for extended frames (Type + Origin + Destination + CRC).

Suggested change

	if (crsfFrame.frame.frameLength >= 4) {
	uint8_t *frameStart = (uint8_t *)&crsfFrame.frame.payload + CRSF_FRAME_ORIGIN_DEST_SIZE;
	if (bufferCrsfMspFrame(frameStart, crsfFrame.frame.frameLength - 4)) {
	if (crsfFrame.frame.frameLength >= CRSF_FRAME_LENGTH_EXT_TYPE_CRC) {
	uint8_t *frameStart = (uint8_t *)&crsfFrame.frame.payload + CRSF_FRAME_ORIGIN_DEST_SIZE;
	if (bufferCrsfMspFrame(frameStart, crsfFrame.frame.frameLength - CRSF_FRAME_LENGTH_EXT_TYPE_CRC)) {

[sensei-hacker]

Thanks for this. Has this been observed actually happening?

I asked because I am deciding whether to merge it today for INAV 9.0.0, or for INAV 9.1 in March-April.

[VoodooChild99]

Thanks for looking into it. I got INAV running in an emulator and did some fuzzing, and the fuzzer triggered this bug. I haven’t reproduced it on real hardware though since I don’t have a drone to test on.