From 0d2a9b6282c9f2ddd792696a6575be3fe12935dd Mon Sep 17 00:00:00 2001
From: Ben Meadors <benmmeadors@gmail.com>
Date: Tue, 23 Jul 2024 06:16:53 -0500
Subject: [PATCH] Fix de/compression buffer overflows in TAK packets (#4317)

* Fix de/compression buffer overflows in TAK packets

* Log message
---
 .semgrepignore                                |  2 +-
 .../compression/{unishox2.c => unishox2.cpp}  | 19 +++-
 src/mesh/compression/unishox2.h               | 76 ++++----------
 src/modules/AtakPluginModule.cpp              | 99 +++++++++++++------
 src/modules/PositionModule.cpp                |  8 +-
 5 files changed, 108 insertions(+), 96 deletions(-)
 rename src/mesh/compression/{unishox2.c => unishox2.cpp} (98%)

diff --git a/.semgrepignore b/.semgrepignore
index 10fcb5f75..b4267ad23 100644
--- a/.semgrepignore
+++ b/.semgrepignore
@@ -1,2 +1,2 @@
 .github/workflows/main_matrix.yml
-src/mesh/compression/unishox2.c
+src/mesh/compression/unishox2.cpp
diff --git a/src/mesh/compression/unishox2.c b/src/mesh/compression/unishox2.cpp
similarity index 98%
rename from src/mesh/compression/unishox2.c
rename to src/mesh/compression/unishox2.cpp
index 99c62f659..fcb12a222 100644
--- a/src/mesh/compression/unishox2.c
+++ b/src/mesh/compression/unishox2.cpp
@@ -15,6 +15,7 @@
  *
  * @author Arundale Ramanathan
  *
+ * Port for Particle (particle.io) / Aruino - Jonathan Greenblatt
  */
 /**
  * @file unishox2.c
@@ -36,6 +37,14 @@
 /// uint8_t is unsigned char
 typedef unsigned char uint8_t;
 
+const char *USX_FREQ_SEQ_DFLT[] = {"\": \"", "\": ", "</", "=\"", "\":\"", "://"};
+const char *USX_FREQ_SEQ_TXT[] = {" the ", " and ", "tion", " with", "ing", "ment"};
+const char *USX_FREQ_SEQ_URL[] = {"https://", "www.", ".com", "http://", ".org", ".net"};
+const char *USX_FREQ_SEQ_JSON[] = {"\": \"", "\": ", "\",", "}}}", "\":\"", "}}"};
+const char *USX_FREQ_SEQ_HTML[] = {"</", "=\"", "div", "href", "class", "<p>"};
+const char *USX_FREQ_SEQ_XML[] = {"</", "=\"", "\">", "<?xml version=\"1.0\"", "xmlns:", "://"};
+const char *USX_TEMPLATES[] = {"tfff-of-tfTtf:rf:rf.fffZ", "tfff-of-tf", "(fff) fff-ffff", "tf:rf:rf", 0};
+
 /// possible horizontal sets and states
 enum { USX_ALPHA = 0, USX_SYM, USX_NUM, USX_DICT, USX_DELTA, USX_NUM_TEMP };
 
@@ -57,7 +66,7 @@ uint8_t usx_code_94[94];
 uint8_t usx_vcodes[] = {0x00, 0x40, 0x60, 0x80, 0x90, 0xA0, 0xB0, 0xC0, 0xD0, 0xD8, 0xE0, 0xE4, 0xE8, 0xEC,
                         0xEE, 0xF0, 0xF2, 0xF4, 0xF6, 0xF7, 0xF8, 0xF9, 0xFA, 0xFB, 0xFC, 0xFD, 0xFE, 0xFF};
 
-/// Length of each vertical code
+/// Length of each veritical code
 uint8_t usx_vcode_lens[] = {2, 3, 3, 4, 4, 4, 4, 4, 5, 5, 6, 6, 6, 7, 7, 7, 7, 7, 8, 8, 8, 8, 8, 8, 8, 8, 8, 8};
 
 /// Vertical Codes and Set number for frequent sequences in sets USX_SYM and USX_NUM. First 3 bits indicate set (USX_SYM/USX_NUM)
@@ -188,7 +197,7 @@ int append_switch_code(char *out, int olen, int ol, uint8_t state)
     return ol;
 }
 
-/// Appends given horizontal and vertical code bits to out
+/// Appends given horizontal and veritical code bits to out
 int append_code(char *out, int olen, int ol, uint8_t code, uint8_t *state, const uint8_t usx_hcodes[],
                 const uint8_t usx_hcode_lens[])
 {
@@ -888,7 +897,7 @@ int read8bitCode(const char *in, int len, int bit_no)
     return code;
 }
 
-/// The list of vertical codes is split into 5 sections. Used by readVCodeIdx()
+/// The list of veritical codes is split into 5 sections. Used by readVCodeIdx()
 #define SECTION_COUNT 5
 /// Used by readVCodeIdx() for finding the section under which the code read using read8bitCode() falls
 uint8_t usx_vsections[] = {0x7F, 0xBF, 0xDF, 0xEF, 0xFF};
@@ -915,7 +924,7 @@ uint8_t usx_vcode_lookup[36] = {(1 << 5) + 0,  (1 << 5) + 0,  (2 << 5) + 1,  (2
 /// compared to using a 256 uint8_t buffer to decode the next 8 bits read by read8bitCode() \n
 /// by splitting the list of vertical codes. \n
 /// Decoder is designed for using less memory, not speed. \n
-/// Returns the vertical code index or 99 if match could not be found. \n
+/// Returns the veritical code index or 99 if match could not be found. \n
 /// Also updates bit_no_p with how many ever bits used by the vertical code.
 int readVCodeIdx(const char *in, int len, int *bit_no_p)
 {
@@ -1420,4 +1429,4 @@ int unishox2_decompress(const char *in, int len, UNISHOX_API_OUT_AND_LEN(char *o
 int unishox2_decompress_simple(const char *in, int len, char *out)
 {
     return unishox2_decompress(in, len, UNISHOX_API_OUT_AND_LEN(out, INT_MAX - 1), USX_PSET_DFLT);
-}
+}
\ No newline at end of file
diff --git a/src/mesh/compression/unishox2.h b/src/mesh/compression/unishox2.h
index a5117a5de..5e2cc8b4c 100644
--- a/src/mesh/compression/unishox2.h
+++ b/src/mesh/compression/unishox2.h
@@ -15,12 +15,7 @@
  *
  * @author Arundale Ramanathan
  *
- */
-
-/**
- * @file unishox2.h
- * @author Arundale Ramanathan, James Z. M. Gao
- * @brief API for Unishox2 Compression and Decompression
+ * Port for Particle (particle.io) / Aruino - Jonathan Greenblatt
  *
  * This file describes each function of the Unishox2 API \n
  * For finding out how this API can be used in your program, \n
@@ -45,7 +40,7 @@
  * The simple api, i.e. unishox2_(de)compress_simple will always omit the buffer length
  */
 #ifndef UNISHOX_API_WITH_OUTPUT_LEN
-#define UNISHOX_API_WITH_OUTPUT_LEN 0
+#define UNISHOX_API_WITH_OUTPUT_LEN 1
 #endif
 
 /// Upto 8 bits of initial magic bit sequence can be included. Bit count can be specified with UNISHOX_MAGIC_BIT_LEN
@@ -156,8 +151,8 @@
         3, 1, 3, 3, 3                                                                                                            \
     }
 
-//#define USX_HCODES_FAVOR_UMLAUT {0x00, 0x40, 0xE0, 0xC0, 0x80}
-//#define USX_HCODE_LENS_FAVOR_UMLAUT {2, 2, 3, 3, 2}
+// #define USX_HCODES_FAVOR_UMLAUT {0x00, 0x40, 0xE0, 0xC0, 0x80}
+// #define USX_HCODE_LENS_FAVOR_UMLAUT {2, 2, 3, 3, 2}
 
 /// Horizontal codes preset favouring umlaut letters
 #define USX_HCODES_FAVOR_UMLAUT                                                                                                  \
@@ -198,50 +193,13 @@
         2, 2, 2, 2, 0                                                                                                            \
     }
 
-/// Default frequently occurring sequences. When composition of text is know beforehand, the other sequences in this section can
-/// be used to achieve more compression.
-#define USX_FREQ_SEQ_DFLT                                                                                                        \
-    (const char *[])                                                                                                             \
-    {                                                                                                                            \
-        "\": \"", "\": ", "</", "=\"", "\":\"", "://"                                                                            \
-    }
-/// Frequently occurring sequences in text content
-#define USX_FREQ_SEQ_TXT                                                                                                         \
-    (const char *[])                                                                                                             \
-    {                                                                                                                            \
-        " the ", " and ", "tion", " with", "ing", "ment"                                                                         \
-    }
-/// Frequently occurring sequences in URL content
-#define USX_FREQ_SEQ_URL                                                                                                         \
-    (const char *[])                                                                                                             \
-    {                                                                                                                            \
-        "https://", "www.", ".com", "http://", ".org", ".net"                                                                    \
-    }
-/// Frequently occurring sequences in JSON content
-#define USX_FREQ_SEQ_JSON                                                                                                        \
-    (const char *[])                                                                                                             \
-    {                                                                                                                            \
-        "\": \"", "\": ", "\",", "}}}", "\":\"", "}}"                                                                            \
-    }
-/// Frequently occurring sequences in HTML content
-#define USX_FREQ_SEQ_HTML                                                                                                        \
-    (const char *[])                                                                                                             \
-    {                                                                                                                            \
-        "</", "=\"", "div", "href", "class", "<p>"                                                                               \
-    }
-/// Frequently occurring sequences in XML content
-#define USX_FREQ_SEQ_XML                                                                                                         \
-    (const char *[])                                                                                                             \
-    {                                                                                                                            \
-        "</", "=\"", "\">", "<?xml version=\"1.0\"", "xmlns:", "://"                                                             \
-    }
-
-/// Commonly occurring templates (ISO Date/Time, ISO Date, US Phone number, ISO Time, Unused)
-#define USX_TEMPLATES                                                                                                            \
-    (const char *[])                                                                                                             \
-    {                                                                                                                            \
-        "tfff-of-tfTtf:rf:rf.fffZ", "tfff-of-tf", "(fff) fff-ffff", "tf:rf:rf", 0                                                \
-    }
+extern const char *USX_FREQ_SEQ_DFLT[];
+extern const char *USX_FREQ_SEQ_TXT[];
+extern const char *USX_FREQ_SEQ_URL[];
+extern const char *USX_FREQ_SEQ_JSON[];
+extern const char *USX_FREQ_SEQ_HTML[];
+extern const char *USX_FREQ_SEQ_XML[];
+extern const char *USX_TEMPLATES[];
 
 /// Default preset parameter set. When composition of text is know beforehand, the other parameter sets in this section can be
 /// used to achieve more compression.
@@ -333,8 +291,8 @@ extern int unishox2_decompress_simple(const char *in, int len, char *out);
  * @param[in] olen           length of 'out' buffer in bytes. Can be omitted if sufficient buffer is provided
  * @param[in] usx_hcodes     Horizontal codes (array of bytes). See macro section for samples.
  * @param[in] usx_hcode_lens Length of each element in usx_hcodes array
- * @param[in] usx_freq_seq   Frequently occurring sequences. See USX_FREQ_SEQ_* macros for samples
- * @param[in] usx_templates  Templates of frequently occurring patterns. See USX_TEMPLATES macro.
+ * @param[in] usx_freq_seq   Frequently occuring sequences. See USX_FREQ_SEQ_* macros for samples
+ * @param[in] usx_templates  Templates of frequently occuring patterns. See USX_TEMPLATES macro.
  */
 extern int unishox2_compress(const char *in, int len, UNISHOX_API_OUT_AND_LEN(char *out, int olen),
                              const unsigned char usx_hcodes[], const unsigned char usx_hcode_lens[], const char *usx_freq_seq[],
@@ -352,8 +310,8 @@ extern int unishox2_compress(const char *in, int len, UNISHOX_API_OUT_AND_LEN(ch
  * @param[in] olen           length of 'out' buffer in bytes. Can be omitted if sufficient buffer is provided
  * @param[in] usx_hcodes     Horizontal codes (array of bytes). See macro section for samples.
  * @param[in] usx_hcode_lens Length of each element in usx_hcodes array
- * @param[in] usx_freq_seq   Frequently occurring sequences. See USX_FREQ_SEQ_* macros for samples
- * @param[in] usx_templates  Templates of frequently occurring patterns. See USX_TEMPLATES macro.
+ * @param[in] usx_freq_seq   Frequently occuring sequences. See USX_FREQ_SEQ_* macros for samples
+ * @param[in] usx_templates  Templates of frequently occuring patterns. See USX_TEMPLATES macro.
  */
 extern int unishox2_decompress(const char *in, int len, UNISHOX_API_OUT_AND_LEN(char *out, int olen),
                                const unsigned char usx_hcodes[], const unsigned char usx_hcode_lens[], const char *usx_freq_seq[],
@@ -373,7 +331,7 @@ extern int unishox2_compress_lines(const char *in, int len, UNISHOX_API_OUT_AND_
                                    const char *usx_freq_seq[], const char *usx_templates[], struct us_lnk_lst *prev_lines);
 /**
  * More Comprehensive API for de-compressing array of strings \n
- * This function is not be used in conjunction with unishox2_compress_lines()
+ * This function is not be used in conjuction with unishox2_compress_lines()
  *
  * See unishox2_decompress() function for parameter definitions. \n
  * Typically an array is compressed using unishox2_compress_lines() and \n
@@ -386,4 +344,4 @@ extern int unishox2_decompress_lines(const char *in, int len, UNISHOX_API_OUT_AN
                                      const unsigned char usx_hcodes[], const unsigned char usx_hcode_lens[],
                                      const char *usx_freq_seq[], const char *usx_templates[], struct us_lnk_lst *prev_lines);
 
-#endif
+#endif
\ No newline at end of file
diff --git a/src/modules/AtakPluginModule.cpp b/src/modules/AtakPluginModule.cpp
index 59263415c..c05f055d4 100644
--- a/src/modules/AtakPluginModule.cpp
+++ b/src/modules/AtakPluginModule.cpp
@@ -5,11 +5,8 @@
 #include "PowerFSM.h"
 #include "configuration.h"
 #include "main.h"
-#include "meshtastic/atak.pb.h"
-
-extern "C" {
 #include "mesh/compression/unishox2.h"
-}
+#include "meshtastic/atak.pb.h"
 
 AtakPluginModule *atakPluginModule;
 
@@ -69,30 +66,53 @@ void AtakPluginModule::alterReceivedProtobuf(meshtastic_MeshPacket &mp, meshtast
         auto compressed = cloneTAKPacketData(t);
         compressed.is_compressed = true;
         if (t->has_contact) {
-            auto length = unishox2_compress_simple(t->contact.callsign, strlen(t->contact.callsign), compressed.contact.callsign);
+            auto length = unishox2_compress_lines(t->contact.callsign, strlen(t->contact.callsign), compressed.contact.callsign,
+                                                  sizeof(compressed.contact.callsign) - 1, USX_PSET_DFLT, NULL);
+            if (length < 0) {
+                LOG_WARN("Compression overflowed contact.callsign. Reverting to uncompressed packet\n");
+                return;
+            }
             LOG_DEBUG("Compressed callsign: %d bytes\n", length);
-
-            length = unishox2_compress_simple(t->contact.device_callsign, strlen(t->contact.device_callsign),
-                                              compressed.contact.device_callsign);
+            length = unishox2_compress_lines(t->contact.device_callsign, strlen(t->contact.device_callsign),
+                                             compressed.contact.device_callsign, sizeof(compressed.contact.device_callsign) - 1,
+                                             USX_PSET_DFLT, NULL);
+            if (length < 0) {
+                LOG_WARN("Compression overflowed contact.device_callsign. Reverting to uncompressed packet\n");
+                return;
+            }
             LOG_DEBUG("Compressed device_callsign: %d bytes\n", length);
         }
         if (t->which_payload_variant == meshtastic_TAKPacket_chat_tag) {
-            auto length = unishox2_compress_simple(t->payload_variant.chat.message, strlen(t->payload_variant.chat.message),
-                                                   compressed.payload_variant.chat.message);
+            auto length = unishox2_compress_lines(t->payload_variant.chat.message, strlen(t->payload_variant.chat.message),
+                                                  compressed.payload_variant.chat.message,
+                                                  sizeof(compressed.payload_variant.chat.message) - 1, USX_PSET_DFLT, NULL);
+            if (length < 0) {
+                LOG_WARN("Compression overflowed chat.message. Reverting to uncompressed packet\n");
+                return;
+            }
             LOG_DEBUG("Compressed chat message: %d bytes\n", length);
 
             if (t->payload_variant.chat.has_to) {
                 compressed.payload_variant.chat.has_to = true;
-                length = unishox2_compress_simple(t->payload_variant.chat.to, strlen(t->payload_variant.chat.to),
-                                                  compressed.payload_variant.chat.to);
+                length = unishox2_compress_lines(t->payload_variant.chat.to, strlen(t->payload_variant.chat.to),
+                                                 compressed.payload_variant.chat.to,
+                                                 sizeof(compressed.payload_variant.chat.to) - 1, USX_PSET_DFLT, NULL);
+                if (length < 0) {
+                    LOG_WARN("Compression overflowed chat.to. Reverting to uncompressed packet\n");
+                    return;
+                }
                 LOG_DEBUG("Compressed chat to: %d bytes\n", length);
             }
 
             if (t->payload_variant.chat.has_to_callsign) {
                 compressed.payload_variant.chat.has_to_callsign = true;
-                length =
-                    unishox2_compress_simple(t->payload_variant.chat.to_callsign, strlen(t->payload_variant.chat.to_callsign),
-                                             compressed.payload_variant.chat.to_callsign);
+                length = unishox2_compress_lines(t->payload_variant.chat.to_callsign, strlen(t->payload_variant.chat.to_callsign),
+                                                 compressed.payload_variant.chat.to_callsign,
+                                                 sizeof(compressed.payload_variant.chat.to_callsign) - 1, USX_PSET_DFLT, NULL);
+                if (length < 0) {
+                    LOG_WARN("Compression overflowed chat.to_callsign. Reverting to uncompressed packet\n");
+                    return;
+                }
                 LOG_DEBUG("Compressed chat to_callsign: %d bytes\n", length);
             }
         }
@@ -102,7 +122,7 @@ void AtakPluginModule::alterReceivedProtobuf(meshtastic_MeshPacket &mp, meshtast
     } else {
         if (!t->is_compressed) {
             // Not compressed. Something is wrong
-            LOG_ERROR("Received uncompressed TAKPacket over radio!\n");
+            LOG_WARN("Received uncompressed TAKPacket over radio! Skipping\n");
             return;
         }
 
@@ -112,32 +132,55 @@ void AtakPluginModule::alterReceivedProtobuf(meshtastic_MeshPacket &mp, meshtast
         uncompressed.is_compressed = false;
         if (t->has_contact) {
             auto length =
-                unishox2_decompress_simple(t->contact.callsign, strlen(t->contact.callsign), uncompressed.contact.callsign);
-
+                unishox2_decompress_lines(t->contact.callsign, strlen(t->contact.callsign), uncompressed.contact.callsign,
+                                          sizeof(uncompressed.contact.callsign) - 1, USX_PSET_DFLT, NULL);
+            if (length < 0) {
+                LOG_WARN("Decompression overflowed contact.callsign. Bailing out\n");
+                return;
+            }
             LOG_DEBUG("Decompressed callsign: %d bytes\n", length);
 
-            length = unishox2_decompress_simple(t->contact.device_callsign, strlen(t->contact.device_callsign),
-                                                uncompressed.contact.device_callsign);
-
+            length = unishox2_decompress_lines(t->contact.device_callsign, strlen(t->contact.device_callsign),
+                                               uncompressed.contact.device_callsign,
+                                               sizeof(uncompressed.contact.device_callsign) - 1, USX_PSET_DFLT, NULL);
+            if (length < 0) {
+                LOG_WARN("Decompression overflowed contact.device_callsign. Bailing out\n");
+                return;
+            }
             LOG_DEBUG("Decompressed device_callsign: %d bytes\n", length);
         }
         if (uncompressed.which_payload_variant == meshtastic_TAKPacket_chat_tag) {
-            auto length = unishox2_decompress_simple(t->payload_variant.chat.message, strlen(t->payload_variant.chat.message),
-                                                     uncompressed.payload_variant.chat.message);
+            auto length = unishox2_decompress_lines(t->payload_variant.chat.message, strlen(t->payload_variant.chat.message),
+                                                    uncompressed.payload_variant.chat.message,
+                                                    sizeof(uncompressed.payload_variant.chat.message) - 1, USX_PSET_DFLT, NULL);
+            if (length < 0) {
+                LOG_WARN("Decompression overflowed chat.message. Bailing out\n");
+                return;
+            }
             LOG_DEBUG("Decompressed chat message: %d bytes\n", length);
 
             if (t->payload_variant.chat.has_to) {
                 uncompressed.payload_variant.chat.has_to = true;
-                length = unishox2_decompress_simple(t->payload_variant.chat.to, strlen(t->payload_variant.chat.to),
-                                                    uncompressed.payload_variant.chat.to);
+                length = unishox2_decompress_lines(t->payload_variant.chat.to, strlen(t->payload_variant.chat.to),
+                                                   uncompressed.payload_variant.chat.to,
+                                                   sizeof(uncompressed.payload_variant.chat.to) - 1, USX_PSET_DFLT, NULL);
+                if (length < 0) {
+                    LOG_WARN("Decompression overflowed chat.to. Bailing out\n");
+                    return;
+                }
                 LOG_DEBUG("Decompressed chat to: %d bytes\n", length);
             }
 
             if (t->payload_variant.chat.has_to_callsign) {
                 uncompressed.payload_variant.chat.has_to_callsign = true;
                 length =
-                    unishox2_decompress_simple(t->payload_variant.chat.to_callsign, strlen(t->payload_variant.chat.to_callsign),
-                                               uncompressed.payload_variant.chat.to_callsign);
+                    unishox2_decompress_lines(t->payload_variant.chat.to_callsign, strlen(t->payload_variant.chat.to_callsign),
+                                              uncompressed.payload_variant.chat.to_callsign,
+                                              sizeof(uncompressed.payload_variant.chat.to_callsign) - 1, USX_PSET_DFLT, NULL);
+                if (length < 0) {
+                    LOG_WARN("Decompression overflowed chat.to_callsign. Bailing out\n");
+                    return;
+                }
                 LOG_DEBUG("Decompressed chat to_callsign: %d bytes\n", length);
             }
         }
@@ -148,4 +191,4 @@ void AtakPluginModule::alterReceivedProtobuf(meshtastic_MeshPacket &mp, meshtast
         service.sendToPhone(decompressedCopy);
     }
     return;
-}
\ No newline at end of file
+}
diff --git a/src/modules/PositionModule.cpp b/src/modules/PositionModule.cpp
index b3294a866..228929e96 100644
--- a/src/modules/PositionModule.cpp
+++ b/src/modules/PositionModule.cpp
@@ -11,12 +11,12 @@
 #include "configuration.h"
 #include "gps/GeoCoord.h"
 #include "main.h"
+#include "mesh/compression/unishox2.h"
 #include "meshtastic/atak.pb.h"
 #include "sleep.h"
 #include "target_specific.h"
 
 extern "C" {
-#include "mesh/compression/unishox2.h"
 #include <Throttle.h>
 }
 
@@ -255,10 +255,12 @@ meshtastic_MeshPacket *PositionModule::allocAtakPli()
                                            .course = static_cast<uint16_t>(localPosition.ground_track),
                                        }}};
 
-    auto length = unishox2_compress_simple(owner.long_name, strlen(owner.long_name), takPacket.contact.device_callsign);
+    auto length = unishox2_compress_lines(owner.long_name, strlen(owner.long_name), takPacket.contact.device_callsign,
+                                          sizeof(takPacket.contact.device_callsign) - 1, USX_PSET_DFLT, NULL);
     LOG_DEBUG("Uncompressed device_callsign '%s' - %d bytes\n", owner.long_name, strlen(owner.long_name));
     LOG_DEBUG("Compressed device_callsign '%s' - %d bytes\n", takPacket.contact.device_callsign, length);
-    length = unishox2_compress_simple(owner.long_name, strlen(owner.long_name), takPacket.contact.callsign);
+    length = unishox2_compress_lines(owner.long_name, strlen(owner.long_name), takPacket.contact.callsign,
+                                     sizeof(takPacket.contact.callsign) - 1, USX_PSET_DFLT, NULL);
     mp->decoded.payload.size =
         pb_encode_to_bytes(mp->decoded.payload.bytes, sizeof(mp->decoded.payload.bytes), &meshtastic_TAKPacket_msg, &takPacket);
     return mp;