From 0154e7fd78f284068f0cbc21d23ddf8cb29c480d Mon Sep 17 00:00:00 2001
From: Harald Barth <haba@kth.se>
Date: Fri, 31 Jan 2025 11:17:59 +0100
Subject: [PATCH] Bugfix: serial COMMAND_BUFFER_SIZE could be silently overrun

---
 SerialManager.cpp | 50 +++++++++++++++++++++++++----------------------
 1 file changed, 27 insertions(+), 23 deletions(-)

diff --git a/SerialManager.cpp b/SerialManager.cpp
index 5dfa526..aac777e 100644
--- a/SerialManager.cpp
+++ b/SerialManager.cpp
@@ -126,29 +126,33 @@ void SerialManager::loop2() {
         buffer[0] = '\0';
       }
     } else { // if (inCommandPayload)
-      if (bufferLength <  (COMMAND_BUFFER_SIZE-1))
-        buffer[bufferLength++] = ch;
-      if (inCommandPayload > PAYLOAD_NORMAL) {
-        if (inCommandPayload > 32 + 2) {    // String way too long
-          ch = '>';                         // we end this nonsense
-          inCommandPayload = PAYLOAD_NORMAL;
-          DIAG(F("Parse error: Unbalanced string"));
-          // fall through to ending parsing below
-        } else if (ch == '"') {               // String end
-          inCommandPayload = PAYLOAD_NORMAL;
-          continue; // do not fall through
-        } else
-          inCommandPayload++;
-      }
-      if (inCommandPayload == PAYLOAD_NORMAL) {
-        if (ch == '>') {
-          buffer[bufferLength] = '\0';
-          DCCEXParser::parse(serial, buffer, NULL); 
-          inCommandPayload = PAYLOAD_FALSE;
-          break;
-        } else if (ch == '"') {
-          inCommandPayload = PAYLOAD_STRING;
-        }
+      if (bufferLength <  (COMMAND_BUFFER_SIZE-1)) {
+        buffer[bufferLength++] = ch;          // advance bufferLength
+	if (inCommandPayload > PAYLOAD_NORMAL) {
+	  if (inCommandPayload > 32 + 2) {    // String way too long
+	    ch = '>';                         // we end this nonsense
+	    inCommandPayload = PAYLOAD_NORMAL;
+	    DIAG(F("Parse error: Unbalanced string"));
+	    // fall through to ending parsing below
+	  } else if (ch == '"') {               // String end
+	    inCommandPayload = PAYLOAD_NORMAL;
+	    continue; // do not fall through
+	  } else
+	    inCommandPayload++;
+	}
+	if (inCommandPayload == PAYLOAD_NORMAL) {
+	  if (ch == '>') {
+	    buffer[bufferLength] = '\0';               // This \0 is after the '>'
+	    DCCEXParser::parse(serial, buffer, NULL);  // buffer parsed with trailing '>'
+	    inCommandPayload = PAYLOAD_FALSE;
+	    break;
+	  } else if (ch == '"') {
+	    inCommandPayload = PAYLOAD_STRING;
+	  }
+	}
+      } else {
+	DIAG(F("Parse error: input buffer overflow"));
+	inCommandPayload = PAYLOAD_FALSE;
       }
     }
   }