[FL-3759] Fix expansion protocol crash when fed lots of garbage (#3409)

* Fix crash caused by garbage input
* Add unit tests for garbage input
* Enable applications to disable and then restore expansion module support
* GPIO App: disable expansion on app start and re-enable on exit

Co-authored-by: Aleksandr Kutuzov <alleteam@gmail.com>

applications/debug/expansion_test/expansion_test.c

@@ -100,17 +100,19 @@ static void expansion_test_app_start(ExpansionTestApp* instance) {
     // Configure the serial port
     furi_hal_serial_init(instance->handle, EXPANSION_PROTOCOL_DEFAULT_BAUD_RATE);
     // Start waiting for the initial pulse
-    expansion_enable(instance->expansion, HOST_SERIAL_ID);
+    expansion_set_listen_serial(instance->expansion, HOST_SERIAL_ID);
 
     furi_hal_serial_async_rx_start(
         instance->handle, expansion_test_app_serial_rx_callback, instance, false);
 }
 
 static void expansion_test_app_stop(ExpansionTestApp* instance) {
+    // Disable expansion module support
+    expansion_disable(instance->expansion);
     // Give back the module handle
     furi_hal_serial_control_release(instance->handle);
-    // Turn expansion module support off
-    expansion_disable(instance->expansion);
+    // Restore expansion user settings
+    expansion_enable(instance->expansion);
     furi_record_close(RECORD_EXPANSION);
 }
 

applications/debug/unit_tests/expansion/expansion_test.c

@@ -1,8 +1,14 @@
 #include "../minunit.h"
 
 #include <furi.h>
+#include <furi_hal_random.h>
+
 #include <expansion/expansion_protocol.h>
 
+#define EXPANSION_TEST_GARBAGE_MAGIC (0xB19AF)
+#define EXPANSION_TEST_GARBAGE_BUF_SIZE (0x100U)
+#define EXPANSION_TEST_GARBAGE_ITERATIONS (100U)
+
 MU_TEST(test_expansion_encoded_size) {
     ExpansionFrame frame = {};
 
@@ -28,43 +34,62 @@ MU_TEST(test_expansion_encoded_size) {
 MU_TEST(test_expansion_remaining_size) {
     ExpansionFrame frame = {};
 
-    mu_assert_int_eq(1, expansion_frame_get_remaining_size(&frame, 0));
+    size_t remaining_size;
+    mu_check(expansion_frame_get_remaining_size(&frame, 0, &remaining_size));
+    mu_assert_int_eq(1, remaining_size);
 
     frame.header.type = ExpansionFrameTypeHeartbeat;
-    mu_assert_int_eq(1, expansion_frame_get_remaining_size(&frame, 0));
-    mu_assert_int_eq(0, expansion_frame_get_remaining_size(&frame, 1));
-    mu_assert_int_eq(0, expansion_frame_get_remaining_size(&frame, 100));
+    mu_check(expansion_frame_get_remaining_size(&frame, 0, &remaining_size));
+    mu_assert_int_eq(1, remaining_size);
+    mu_check(expansion_frame_get_remaining_size(&frame, 1, &remaining_size));
+    mu_assert_int_eq(0, remaining_size);
+    mu_check(expansion_frame_get_remaining_size(&frame, 100, &remaining_size));
+    mu_assert_int_eq(0, remaining_size);
 
     frame.header.type = ExpansionFrameTypeStatus;
-    mu_assert_int_eq(1, expansion_frame_get_remaining_size(&frame, 0));
-    mu_assert_int_eq(1, expansion_frame_get_remaining_size(&frame, 1));
-    mu_assert_int_eq(0, expansion_frame_get_remaining_size(&frame, 2));
-    mu_assert_int_eq(0, expansion_frame_get_remaining_size(&frame, 100));
+    mu_check(expansion_frame_get_remaining_size(&frame, 0, &remaining_size));
+    mu_assert_int_eq(1, remaining_size);
+    mu_check(expansion_frame_get_remaining_size(&frame, 1, &remaining_size));
+    mu_assert_int_eq(1, remaining_size);
+    mu_check(expansion_frame_get_remaining_size(&frame, 2, &remaining_size));
+    mu_assert_int_eq(0, remaining_size);
+    mu_check(expansion_frame_get_remaining_size(&frame, 100, &remaining_size));
+    mu_assert_int_eq(0, remaining_size);
 
     frame.header.type = ExpansionFrameTypeBaudRate;
-    mu_assert_int_eq(1, expansion_frame_get_remaining_size(&frame, 0));
-    mu_assert_int_eq(4, expansion_frame_get_remaining_size(&frame, 1));
-    mu_assert_int_eq(0, expansion_frame_get_remaining_size(&frame, 5));
-    mu_assert_int_eq(0, expansion_frame_get_remaining_size(&frame, 100));
+    mu_check(expansion_frame_get_remaining_size(&frame, 0, &remaining_size));
+    mu_assert_int_eq(1, remaining_size);
+    mu_check(expansion_frame_get_remaining_size(&frame, 1, &remaining_size));
+    mu_assert_int_eq(4, remaining_size);
+    mu_check(expansion_frame_get_remaining_size(&frame, 5, &remaining_size));
+    mu_assert_int_eq(0, remaining_size);
+    mu_check(expansion_frame_get_remaining_size(&frame, 100, &remaining_size));
+    mu_assert_int_eq(0, remaining_size);
 
     frame.header.type = ExpansionFrameTypeControl;
-    mu_assert_int_eq(1, expansion_frame_get_remaining_size(&frame, 0));
-    mu_assert_int_eq(1, expansion_frame_get_remaining_size(&frame, 1));
-    mu_assert_int_eq(0, expansion_frame_get_remaining_size(&frame, 2));
-    mu_assert_int_eq(0, expansion_frame_get_remaining_size(&frame, 100));
+    mu_check(expansion_frame_get_remaining_size(&frame, 0, &remaining_size));
+    mu_assert_int_eq(1, remaining_size);
+    mu_check(expansion_frame_get_remaining_size(&frame, 1, &remaining_size));
+    mu_assert_int_eq(1, remaining_size);
+    mu_check(expansion_frame_get_remaining_size(&frame, 2, &remaining_size));
+    mu_assert_int_eq(0, remaining_size);
+    mu_check(expansion_frame_get_remaining_size(&frame, 100, &remaining_size));
+    mu_assert_int_eq(0, remaining_size);
 
     frame.header.type = ExpansionFrameTypeData;
     frame.content.data.size = EXPANSION_PROTOCOL_MAX_DATA_SIZE;
-    mu_assert_int_eq(1, expansion_frame_get_remaining_size(&frame, 0));
-    mu_assert_int_eq(1, expansion_frame_get_remaining_size(&frame, 1));
-    mu_assert_int_eq(
-        EXPANSION_PROTOCOL_MAX_DATA_SIZE, expansion_frame_get_remaining_size(&frame, 2));
+    mu_check(expansion_frame_get_remaining_size(&frame, 0, &remaining_size));
+    mu_assert_int_eq(1, remaining_size);
+    mu_check(expansion_frame_get_remaining_size(&frame, 1, &remaining_size));
+    mu_assert_int_eq(1, remaining_size);
+    mu_check(expansion_frame_get_remaining_size(&frame, 2, &remaining_size));
+    mu_assert_int_eq(EXPANSION_PROTOCOL_MAX_DATA_SIZE, remaining_size);
     for(size_t i = 0; i <= EXPANSION_PROTOCOL_MAX_DATA_SIZE; ++i) {
-        mu_assert_int_eq(
-            EXPANSION_PROTOCOL_MAX_DATA_SIZE - i,
-            expansion_frame_get_remaining_size(&frame, i + 2));
+        mu_check(expansion_frame_get_remaining_size(&frame, i + 2, &remaining_size));
+        mu_assert_int_eq(EXPANSION_PROTOCOL_MAX_DATA_SIZE - i, remaining_size);
     }
-    mu_assert_int_eq(0, expansion_frame_get_remaining_size(&frame, 100));
+    mu_check(expansion_frame_get_remaining_size(&frame, 100, &remaining_size));
+    mu_assert_int_eq(0, remaining_size);
 }
 
 typedef struct {
@@ -145,10 +170,28 @@ MU_TEST(test_expansion_encode_decode_frame) {
     mu_assert_mem_eq(&frame_in, &frame_out, encoded_size);
 }
 
+MU_TEST(test_expansion_garbage_input) {
+    uint8_t garbage_data[EXPANSION_TEST_GARBAGE_BUF_SIZE];
+    for(uint32_t i = 0; i < EXPANSION_TEST_GARBAGE_ITERATIONS; ++i) {
+        furi_hal_random_fill_buf(garbage_data, sizeof(garbage_data));
+        size_t remaining_size = EXPANSION_TEST_GARBAGE_MAGIC;
+        if(expansion_frame_get_remaining_size(
+               (ExpansionFrame*)garbage_data, sizeof(garbage_data), &remaining_size)) {
+            // If by chance the garbage data is a valid frame, then the result
+            // must be 0 because the amount of data provided is more than enough
+            mu_assert_int_eq(0, remaining_size);
+        } else {
+            // If the frame is invalid, the remaining_size parameter should be untouched
+            mu_assert_int_eq(EXPANSION_TEST_GARBAGE_MAGIC, remaining_size);
+        }
+    }
+}
+
 MU_TEST_SUITE(test_expansion_suite) {
     MU_RUN_TEST(test_expansion_encoded_size);
     MU_RUN_TEST(test_expansion_remaining_size);
     MU_RUN_TEST(test_expansion_encode_decode_frame);
+    MU_RUN_TEST(test_expansion_garbage_input);
 }
 
 int run_minunit_test_expansion() {