From 89526c5bd0af8b539c8faad0b1f05a71a30eeae1 Mon Sep 17 00:00:00 2001
From: Rayhub <1102290321@qq.com>
Date: Fri, 26 Dec 2025 19:49:43 +0800
Subject: [PATCH] verify crsf frame length when handling
 CRSF_FRAMETYPE_MSP_REQ/CRSF_FRAMETYPE_MSP_WRITE

---
 src/main/rx/crsf.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/main/rx/crsf.c b/src/main/rx/crsf.c
index 6ac184b9c66..f144ef45068 100755
--- a/src/main/rx/crsf.c
+++ b/src/main/rx/crsf.c
@@ -173,9 +173,13 @@ STATIC_UNIT_TESTED void crsfDataReceive(uint16_t c, void *rxCallbackData)
 #if defined(USE_MSP_OVER_TELEMETRY)
                         case CRSF_FRAMETYPE_MSP_REQ:
                         case CRSF_FRAMETYPE_MSP_WRITE: {
-                            uint8_t *frameStart = (uint8_t *)&crsfFrame.frame.payload + CRSF_FRAME_ORIGIN_DEST_SIZE;
-                            if (bufferCrsfMspFrame(frameStart, crsfFrame.frame.frameLength - 4)) {
-                                crsfScheduleMspResponse(crsfFrame.frame.payload[1]);
+                            if (crsfFrame.frame.frameLength >= 4) {
+                                uint8_t *frameStart = (uint8_t *)&crsfFrame.frame.payload + CRSF_FRAME_ORIGIN_DEST_SIZE;
+                                if (bufferCrsfMspFrame(frameStart, crsfFrame.frame.frameLength - 4)) {
+                                    crsfScheduleMspResponse(crsfFrame.frame.payload[1]);
+                                }
+                            } else {
+                                crsfFrameDone = false;
                             }
                             break;
                         }