In module /board/RAK811/gps-board.c the array NmeaString is defined as 512 bytes, however when parsing through the incoming data in function GpsMcuIrqNotify(), the bounds check is for 1024 bytes. Perhaps it is never actually overflowing as long as '$' and '\n' is always spotted by the function, however there exists the possibility that an unusually long message might not be properly truncated by the code and would allow the function to destroy memory contents beyond the defined size of the buffer.
/*
* \brief Buffer holding the raw data received from the gps
*/
uint8_t NmeaString[512];
void GpsMcuIrqNotify( UartNotifyId_t id )
{
uint8_t data;
if( id == UART_NOTIFY_RX )
{
if( UartMcuGetChar( &GpsUart, &data ) == 0 )
{
if( ( data == '$' ) || ( NmeaStringSize >= 1024 ) )
{
NmeaStringSize = 0;
}
NmeaString[NmeaStringSize++] = ( int8_t )data;
if( data == '\n' )
{
NmeaString[NmeaStringSize++] = '\0';
GpsParseGpsData( ( int8_t* )NmeaString, NmeaStringSize );
#ifdef GPS_PPS
UartMcuDeInit( &GpsUart );
#endif
BlockLowPowerDuringTask ( false );
}
}
}
}
In module /board/RAK811/gps-board.c the array NmeaString is defined as 512 bytes, however when parsing through the incoming data in function GpsMcuIrqNotify(), the bounds check is for 1024 bytes. Perhaps it is never actually overflowing as long as '$' and '\n' is always spotted by the function, however there exists the possibility that an unusually long message might not be properly truncated by the code and would allow the function to destroy memory contents beyond the defined size of the buffer.