verify crsf frame length when handling CRSF_FRAMETYPE_MSP_REQ/CRSF_FRAMETYPE_MSP_WRITE

VoodooChild99 · VoodooChild99 · commit 89526c5bd0af · 2025-12-26T19:49:43.000+08:00
diff --git a/src/main/rx/crsf.c b/src/main/rx/crsf.c
@@ -173,9 +173,13 @@ STATIC_UNIT_TESTED void crsfDataReceive(uint16_t c, void *rxCallbackData)
 #if defined(USE_MSP_OVER_TELEMETRY)
                         case CRSF_FRAMETYPE_MSP_REQ:
                         case CRSF_FRAMETYPE_MSP_WRITE: {
-                            uint8_t *frameStart = (uint8_t *)&crsfFrame.frame.payload + CRSF_FRAME_ORIGIN_DEST_SIZE;
-                            if (bufferCrsfMspFrame(frameStart, crsfFrame.frame.frameLength - 4)) {
-                                crsfScheduleMspResponse(crsfFrame.frame.payload[1]);
+                            if (crsfFrame.frame.frameLength >= 4) {
+                                uint8_t *frameStart = (uint8_t *)&crsfFrame.frame.payload + CRSF_FRAME_ORIGIN_DEST_SIZE;
+                                if (bufferCrsfMspFrame(frameStart, crsfFrame.frame.frameLength - 4)) {
+                                    crsfScheduleMspResponse(crsfFrame.frame.payload[1]);
+                                }
+                            } else {
+                                crsfFrameDone = false;
                             }
                             break;
                         }
