fix(zwapi) Harden zwapi_connection_tx in zwapi_connection.c

Change is obvious, it prevent an overflow,
Also it has been observed than on edge case (0xFF)
the counter never ends because it loops on the range of i
that was defined as a char, let's use a larger range.

note that functions did not test all inputs params
specially when it is done in caller
(eg: in  zwave_api_send_data reject frames above limit),
Also lenght is strored on 8bits which align to the frame max (0xFF/ 255).

Origin: SiliconLabsSoftware#127
Bug-SiliconLabs: UIC-3666
Bug-SLVDBBP: 3169925
Signed-off-by: Philippe Coval <[email protected]>

Author: rzr

applications/zpc/components/zwave_api/src/zwapi_connection.c

@@ -138,7 +138,19 @@ void zwapi_connection_tx(
   uint8_t len,        /* IN the length of DATA to transmit */
   bool ack_needed)
 {
-  uint8_t tx_buffer[255];
+  uint8_t tx_buffer[FRAME_LENGTH_MAX];
+  const size_t MAX_PAYLOAD_LEN_ALLOWED
+    = sizeof(tx_buffer) - 4 - 1;  // 255 - 5 = 250
+  if (len > MAX_PAYLOAD_LEN_ALLOWED) {
+    sl_log_error(LOG_TAG,
+                 "zwapi_connection_tx: Buffer overflow prevented: Payload length (%u) exceeds "
+                 "maximum allowed (%zu).\n",
+                 len,
+                 MAX_PAYLOAD_LEN_ALLOWED);
+    assert(false);
+    return;
+  }
+
   uint8_t *c;
   c = tx_buffer;
 
@@ -151,7 +163,7 @@ void zwapi_connection_tx(
   c += len;
 
   uint8_t tx_checksum = 0xFF;
-  for (uint8_t i = 0; i < len + 3; i++) {
+  for (uint16_t i = 0; i < len + 3; i++) {
     tx_checksum ^= tx_buffer[i + 1];
   }
   *c++ = tx_checksum;