From 05a21bc8eed569bacd695ea6cce28371a936211c Mon Sep 17 00:00:00 2001 From: Jef Driesen Date: Mon, 15 Apr 2019 13:36:33 +0200 Subject: [PATCH 1/6] Fix a buffer overflow The length field in the data is checked for the maximum size (e.g. the size of the buffer), but there is no such check on the minimum size (e.g. the size of the header). If the length is smaller, the code accessed data before the start of the buffer. --- src/mares_iconhd_parser.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/mares_iconhd_parser.c b/src/mares_iconhd_parser.c index e66d190..c12e8c4 100644 --- a/src/mares_iconhd_parser.c +++ b/src/mares_iconhd_parser.c @@ -100,13 +100,13 @@ mares_iconhd_parser_cache (mares_iconhd_parser_t *parser) else if (parser->model == SMARTAPNEA) header = 6; // Type and number of samples only! - if (size < header + 4) { + if (size < 4) { ERROR (abstract->context, "Buffer overflow detected!"); return DC_STATUS_DATAFORMAT; } unsigned int length = array_uint32_le (data); - if (length > size) { + if (length < 4 + header || length > size) { ERROR (abstract->context, "Buffer overflow detected!"); return DC_STATUS_DATAFORMAT; } @@ -146,7 +146,7 @@ mares_iconhd_parser_cache (mares_iconhd_parser_t *parser) samplesize = 14; } - if (length < headersize) { + if (length < 4 + headersize) { ERROR (abstract->context, "Buffer overflow detected!"); return DC_STATUS_DATAFORMAT; } From 5c55760fd5d42992f513948b018fefabe862b3b8 Mon Sep 17 00:00:00 2001 From: Janice McLaughlin Date: Mon, 20 May 2019 14:46:03 -0700 Subject: [PATCH 2/6] Fix the limit for an invalid sample temperature In the EON Steel descriptor for the temperature field, the "nillable" value is -3000: int16,precision=2,nillable=-3000 So the missing equals sign is just a small oversight. --- src/suunto_eonsteel_parser.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/suunto_eonsteel_parser.c b/src/suunto_eonsteel_parser.c index 75b7091..33a6b3d 100644 --- a/src/suunto_eonsteel_parser.c +++ b/src/suunto_eonsteel_parser.c @@ -496,7 +496,7 @@ static void sample_temp(struct sample_data *info, short temp) { dc_sample_value_t sample = {0}; - if (temp < -3000) + if (temp <= -3000) return; sample.temperature = temp / 10.0; From 7b29c5d43d06380c07694a9d051ff5e1cd911868 Mon Sep 17 00:00:00 2001 From: Jef Driesen Date: Wed, 6 Mar 2019 20:38:01 +0100 Subject: [PATCH 3/6] Detect Mares Quad with more flash memory The latest variant of the Mares Quad has 4 times more flash memory compared to the original variant (1M vs 256K). Therefore this variant supports a new command to read the size of the flash memory. At the moment, it's unknown whether the previous variant also supports this new command or not. Probably not, because none of the other compatible models seems to support it either. Hence we only attempt to read the flash memory size for the Quad, and a failure is not considered a fatal error. The disadvantage of this approach is that a temporary communication problem can result in a misdetection of the flash memory size. Reported-by: Janice McLaughlin --- src/mares_iconhd.c | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/src/mares_iconhd.c b/src/mares_iconhd.c index 5d428a9..ec9a4eb 100644 --- a/src/mares_iconhd.c +++ b/src/mares_iconhd.c @@ -380,6 +380,20 @@ mares_iconhd_device_open (dc_device_t **out, dc_context_t *context, dc_iostream_ // Autodetect the model using the version packet. device->model = mares_iconhd_get_model (device); + // Read the size of the flash memory. + unsigned int memsize = 0; + if (device->model == QUAD) { + unsigned char cmd_flash[] = {0xB3, 0x16}; + unsigned char rsp_flash[4] = {0}; + status = mares_iconhd_transfer (device, cmd_flash, sizeof (cmd_flash), rsp_flash, sizeof (rsp_flash)); + if (status != DC_STATUS_SUCCESS) { + WARNING (context, "Failed to read the flash memory size."); + } else { + memsize = array_uint32_le (rsp_flash); + DEBUG (context, "Flash memory size is %u bytes.", memsize); + } + } + // Load the correct memory layout. switch (device->model) { case MATRIX: @@ -391,10 +405,17 @@ mares_iconhd_device_open (dc_device_t **out, dc_context_t *context, dc_iostream_ case NEMOWIDE2: case SMART: case SMARTAPNEA: - case QUAD: device->layout = &mares_nemowide2_layout; device->packetsize = 256; break; + case QUAD: + if (memsize > 0x40000) { + device->layout = &mares_iconhd_layout; + } else { + device->layout = &mares_nemowide2_layout; + } + device->packetsize = 256; + break; case QUADAIR: case SMARTAIR: device->layout = &mares_iconhdnet_layout; From 629e33432f9e332e311d2820d2a139e1b27a405e Mon Sep 17 00:00:00 2001 From: Jef Driesen Date: Thu, 25 Apr 2019 23:58:12 +0200 Subject: [PATCH 4/6] Add the G2 HUD bluetooth device name --- src/descriptor.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/descriptor.c b/src/descriptor.c index 1eb45cd..fe7f382 100644 --- a/src/descriptor.c +++ b/src/descriptor.c @@ -427,6 +427,7 @@ static int dc_filter_uwatec (dc_transport_t transport, const void *userdata) static const char *bluetooth[] = { "G2", "Aladin", + "HUD", }; if (transport == DC_TRANSPORT_IRDA) { From b188c414206daaa5b6de464ced98d78f6da7cde1 Mon Sep 17 00:00:00 2001 From: Jef Driesen Date: Mon, 13 May 2019 07:43:15 +0200 Subject: [PATCH 5/6] Add support for the Tusa Talis Reported-By: Nick Shore --- src/descriptor.c | 1 + src/oceanic_atom2.c | 1 + src/oceanic_atom2_parser.c | 6 +++++- 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/descriptor.c b/src/descriptor.c index fe7f382..be649c9 100644 --- a/src/descriptor.c +++ b/src/descriptor.c @@ -210,6 +210,7 @@ static const dc_descriptor_t g_descriptors[] = { {"Aeris", "F11", DC_FAMILY_OCEANIC_ATOM2, 0x4549, DC_TRANSPORT_SERIAL, NULL}, {"Oceanic", "OCi", DC_FAMILY_OCEANIC_ATOM2, 0x454B, DC_TRANSPORT_SERIAL, NULL}, {"Aeris", "A300CS", DC_FAMILY_OCEANIC_ATOM2, 0x454C, DC_TRANSPORT_SERIAL, NULL}, + {"Tusa", "Talis", DC_FAMILY_OCEANIC_ATOM2, 0x454E, DC_TRANSPORT_SERIAL, NULL}, {"Beuchat", "Mundial 3", DC_FAMILY_OCEANIC_ATOM2, 0x4550, DC_TRANSPORT_SERIAL, NULL}, {"Oceanic", "Pro Plus X", DC_FAMILY_OCEANIC_ATOM2, 0x4552, DC_TRANSPORT_SERIAL, NULL}, {"Oceanic", "F10", DC_FAMILY_OCEANIC_ATOM2, 0x4553, DC_TRANSPORT_SERIAL, NULL}, diff --git a/src/oceanic_atom2.c b/src/oceanic_atom2.c index 950eb06..33947bd 100644 --- a/src/oceanic_atom2.c +++ b/src/oceanic_atom2.c @@ -151,6 +151,7 @@ static const oceanic_common_version_t tusa_zenair_version[] = { {"AMPHOSSW \0\0 512K"}, {"AMPHOAIR \0\0 512K"}, {"VOYAGE2G \0\0 512K"}, + {"TUSTALIS \0\0 512K"}, }; static const oceanic_common_version_t oceanic_oc1_version[] = { diff --git a/src/oceanic_atom2_parser.c b/src/oceanic_atom2_parser.c index 002de21..ddedc40 100644 --- a/src/oceanic_atom2_parser.c +++ b/src/oceanic_atom2_parser.c @@ -74,6 +74,7 @@ #define F11A 0x4549 #define OCI 0x454B #define A300CS 0x454C +#define TALIS 0x454E #define MUNDIAL3 0x4550 #define PROPLUSX 0x4552 #define F10B 0x4553 @@ -288,6 +289,7 @@ oceanic_atom2_parser_get_datetime (dc_parser_t *abstract, dc_datetime_t *datetim case AMPHOS: case AMPHOSAIR: case VOYAGER2G: + case TALIS: datetime->year = (p[3] & 0x1F) + 2000; datetime->month = (p[7] & 0xF0) >> 4; datetime->day = ((p[3] & 0x80) >> 3) + ((p[5] & 0xF0) >> 4); @@ -712,7 +714,7 @@ oceanic_atom2_parser_samples_foreach (dc_parser_t *abstract, dc_sample_callback_ parser->model == GEO || parser->model == GEO20 || parser->model == MANTA || parser->model == I300 || parser->model == I200 || parser->model == I100 || - parser->model == I300C) { + parser->model == I300C || TALIS) { have_pressure = 0; } @@ -862,6 +864,8 @@ oceanic_atom2_parser_samples_foreach (dc_parser_t *abstract, dc_sample_callback_ parser->model == ELEMENT2 || parser->model == MANTA || parser->model == ZEN) { temperature = data[offset + 6]; + } else if (parser->model == TALIS) { + temperature = data[offset + 7]; } else if (parser->model == GEO20 || parser->model == VEO20 || parser->model == VEO30 || parser->model == OC1A || parser->model == OC1B || parser->model == OC1C || From 0dc10062ced1be609155c133b235f07595853306 Mon Sep 17 00:00:00 2001 From: Jef Driesen Date: Thu, 16 May 2019 22:08:41 +0200 Subject: [PATCH 6/6] Add support for the Suunto D5 The Suunto D5 is fully compatible with the Eon Steel, except for the different USB PID. Reported-By: Nick Shore --- src/descriptor.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/descriptor.c b/src/descriptor.c index be649c9..b198f80 100644 --- a/src/descriptor.c +++ b/src/descriptor.c @@ -102,6 +102,7 @@ static const dc_descriptor_t g_descriptors[] = { /* Suunto EON Steel */ {"Suunto", "EON Steel", DC_FAMILY_SUUNTO_EONSTEEL, 0, DC_TRANSPORT_USBHID | DC_TRANSPORT_BLE, dc_filter_suunto}, {"Suunto", "EON Core", DC_FAMILY_SUUNTO_EONSTEEL, 1, DC_TRANSPORT_USBHID | DC_TRANSPORT_BLE, dc_filter_suunto}, + {"Suunto", "D5", DC_FAMILY_SUUNTO_EONSTEEL, 2, DC_TRANSPORT_USBHID | DC_TRANSPORT_BLE, dc_filter_suunto}, /* Uwatec Aladin */ {"Uwatec", "Aladin Air Twin", DC_FAMILY_UWATEC_ALADIN, 0x1C, DC_TRANSPORT_SERIAL, NULL}, {"Uwatec", "Aladin Sport Plus", DC_FAMILY_UWATEC_ALADIN, 0x3E, DC_TRANSPORT_SERIAL, NULL}, @@ -447,10 +448,12 @@ static int dc_filter_suunto (dc_transport_t transport, const void *userdata) static const dc_usb_desc_t usbhid[] = { {0x1493, 0x0030}, // Eon Steel {0x1493, 0x0033}, // Eon Core + {0x1493, 0x0035}, // D5 }; static const char *bluetooth[] = { "EON Steel", "EON Core", + "Suunto D5", }; if (transport == DC_TRANSPORT_USBHID) {