AP_ADSB: avoid buffer overwrite in AP_ADSB_Sagetech_MXS

we were not bounds-checking the off-wire length, and then reading many bytes into a target buffer based on it.

Do the bounds check.

Also remove the writing of the checksum into the payload buffer - this was the notional 1-byte overwrite

Author: peterbarker

libraries/AP_ADSB/AP_ADSB_Sagetech_MXS.cpp

@@ -279,6 +279,10 @@ bool AP_ADSB_Sagetech_MXS::parse_byte(const uint8_t data)
         case ParseState::WaitingFor_PayloadLen: 
             message_in.checksum += data;
             message_in.packet.payload_length = data;
+            if (message_in.packet.payload_length > ARRAY_SIZE(message_in.packet.payload)) {
+                message_in.state = ParseState::WaitingFor_Start;
+                break;
+            }
             message_in.index = 0;
             message_in.state = (data == 0) ? ParseState::WaitingFor_Checksum : ParseState::WaitingFor_PayloadContents;
             break;
@@ -293,7 +297,6 @@ bool AP_ADSB_Sagetech_MXS::parse_byte(const uint8_t data)
             message_in.state = ParseState::WaitingFor_Start;
             if (message_in.checksum == data) {
                 // append the checksum to the payload and zero out the payload index
-                message_in.packet.payload[message_in.index] = data;
                 message_in.index = 0;
                 handle_packet(message_in.packet);
             }