From 27f6ebdc6b9d0b152195413cac12cf0318b7a353 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beat=20K=C3=BCng?= Date: Wed, 16 Oct 2019 11:30:52 +0200 Subject: [PATCH 1/3] uORBManager: print errno for advertisement failures Helps with debugging. --- src/modules/uORB/uORBManager.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/modules/uORB/uORBManager.cpp b/src/modules/uORB/uORBManager.cpp index 7febe89353f4..66fe3ebaf2c8 100644 --- a/src/modules/uORB/uORBManager.cpp +++ b/src/modules/uORB/uORBManager.cpp @@ -198,7 +198,7 @@ orb_advert_t uORB::Manager::orb_advertise_multi(const struct orb_metadata *meta, int fd = node_open(meta, true, instance, priority); if (fd == PX4_ERROR) { - PX4_ERR("%s advertise failed", meta->o_name); + PX4_ERR("%s advertise failed (%i)", meta->o_name, errno); return nullptr; } From 4b92a623dfd5a3454392f25a3074f86874b2f1b0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beat=20K=C3=BCng?= Date: Wed, 16 Oct 2019 11:35:38 +0200 Subject: [PATCH 2/3] mixer_{multicopter,helicopter}: add buffer size check Fixes a potential buffer overflow if an MC/helicopter mixer is used that exceeds the number of physical pins. This is not a useful/flyable configuration, but the system still should not crash. --- src/lib/mixer/mixer_helicopter.cpp | 4 ++++ src/lib/mixer/mixer_multirotor.cpp | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/src/lib/mixer/mixer_helicopter.cpp b/src/lib/mixer/mixer_helicopter.cpp index 87441ee7bcf0..c087b3a28311 100644 --- a/src/lib/mixer/mixer_helicopter.cpp +++ b/src/lib/mixer/mixer_helicopter.cpp @@ -200,6 +200,10 @@ HelicopterMixer::from_text(Mixer::ControlCallback control_cb, uintptr_t cb_handl unsigned HelicopterMixer::mix(float *outputs, unsigned space) { + if (space < _mixer_info.control_count + 1u) { + return 0; + } + /* Find index to use for curves */ float thrust_cmd = get_control(0, 3); int idx = (thrust_cmd / 0.25f); diff --git a/src/lib/mixer/mixer_multirotor.cpp b/src/lib/mixer/mixer_multirotor.cpp index ce04811d9e5c..8559d0182372 100644 --- a/src/lib/mixer/mixer_multirotor.cpp +++ b/src/lib/mixer/mixer_multirotor.cpp @@ -354,6 +354,10 @@ void MultirotorMixer::mix_yaw(float yaw, float *outputs) unsigned MultirotorMixer::mix(float *outputs, unsigned space) { + if (space < _rotor_count) { + return 0; + } + float roll = math::constrain(get_control(0, 0) * _roll_scale, -1.0f, 1.0f); float pitch = math::constrain(get_control(0, 1) * _pitch_scale, -1.0f, 1.0f); float yaw = math::constrain(get_control(0, 2) * _yaw_scale, -1.0f, 1.0f); From 1286495d39ecfa58b2f4a70e7c726e72dd40cdfe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Beat=20K=C3=BCng?= Date: Wed, 16 Oct 2019 11:36:48 +0200 Subject: [PATCH 3/3] io_timer: fix potential invalid memory access --- platforms/nuttx/src/px4/nxp/kinetis/io_pins/io_timer.c | 2 +- platforms/nuttx/src/px4/stm/stm32_common/io_pins/io_timer.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/platforms/nuttx/src/px4/nxp/kinetis/io_pins/io_timer.c b/platforms/nuttx/src/px4/nxp/kinetis/io_pins/io_timer.c index 7ba1ce7fd477..b6b4b048fe67 100644 --- a/platforms/nuttx/src/px4/nxp/kinetis/io_pins/io_timer.c +++ b/platforms/nuttx/src/px4/nxp/kinetis/io_pins/io_timer.c @@ -525,7 +525,7 @@ void io_timer_trigger(void) irqstate_t flags = px4_enter_critical_section(); - for (actions = 0; action_cache[actions] != 0 && actions < MAX_IO_TIMERS; actions++) { + for (actions = 0; actions < MAX_IO_TIMERS && action_cache[actions] != 0; actions++) { _REG32(action_cache[actions], KINETIS_FTM_SYNC_OFFSET) |= FTM_SYNC; } diff --git a/platforms/nuttx/src/px4/stm/stm32_common/io_pins/io_timer.c b/platforms/nuttx/src/px4/stm/stm32_common/io_pins/io_timer.c index d977e4dd48f3..4f6e0d3ef1ea 100644 --- a/platforms/nuttx/src/px4/stm/stm32_common/io_pins/io_timer.c +++ b/platforms/nuttx/src/px4/stm/stm32_common/io_pins/io_timer.c @@ -559,7 +559,7 @@ void io_timer_trigger(void) irqstate_t flags = px4_enter_critical_section(); - for (actions = 0; action_cache[actions] != 0 && actions < MAX_IO_TIMERS; actions++) { + for (actions = 0; actions < MAX_IO_TIMERS && action_cache[actions] != 0; actions++) { _REG32(action_cache[actions], STM32_GTIM_EGR_OFFSET) |= GTIM_EGR_UG; }