safety: only run rx hooks on whitelisted msgs (#1903)

* don't run rx hook on non-allowed messages

* better name

* fix toyota (bug w/ secoc)

* looks like honda is broken

* rivian is also bad! (missing EPAS_SystemStatus)

* misra so far

rivian is also bad!

* nissan is fine

* tesla is also borked

* mazda's good

* subaru's fine

* gm broke

* ford's good

* chrysler's good

* vw is good

* hyundai is broky, canfd is good

* Fix Rivian

* revert these

* do relay malfunction check on all addresses

* Found a Tesla bug

* fix subaru pg

* body

* rm

* Fix Honda

* stash

* fix Hyundai

* fix

* Hyundai: buttons are used always (for interaction)

* revert tesla

* body: we don't rx _torque_cmd_msg

* Revert "body: we don't rx _torque_cmd_msg"

This reverts commit 2f973f6.

* simpler

* GM EV param for correct rxchecks

* no need

* might read better

* rm extras

* fix hyundai

* we weren't testing lfa (non-hda2), alt buttons, long

* fix

* tested

* rm

* not needed

* clean up

* that too

* .

Author: sshane

opendbc/safety/safety.h

@@ -211,19 +211,20 @@ bool safety_rx_hook(const CANPacket_t *to_push) {
   bool controls_allowed_prev = controls_allowed;
 
   bool valid = rx_msg_safety_check(to_push, &current_safety_config, current_hooks);
-  if (valid) {
+  bool whitelisted = get_addr_check_index(to_push, current_safety_config.rx_checks, current_safety_config.rx_checks_len) != -1;
+  if (valid && whitelisted) {
     current_hooks->rx(to_push);
+  }
 
-    const int bus = GET_BUS(to_push);
-    const int addr = GET_ADDR(to_push);
-
-    // check all tx msgs for liveness on sending bus if specified.
-    // used to detect a relay malfunction or control messages from disabled ECUs like the radar
-    for (int i = 0; i < current_safety_config.tx_msgs_len; i++) {
-      const CanMsg *m = &current_safety_config.tx_msgs[i];
-      if (m->check_relay) {
-        generic_rx_checks((m->addr == addr) && (m->bus == bus));
-      }
+  // the relay malfunction hook runs on all incoming rx messages.
+  // check all tx msgs for liveness on sending bus if specified.
+  // used to detect a relay malfunction or control messages from disabled ECUs like the radar
+  const int bus = GET_BUS(to_push);
+  const int addr = GET_ADDR(to_push);
+  for (int i = 0; i < current_safety_config.tx_msgs_len; i++) {
+    const CanMsg *m = &current_safety_config.tx_msgs[i];
+    if (m->check_relay) {
+      generic_rx_checks((m->addr == addr) && (m->bus == bus));
     }
   }
 

opendbc/safety/safety/safety_defaults.h

@@ -2,9 +2,12 @@
 
 #include "safety_declarations.h"
 
+// GCOV_EXCL_START
+// Unreachable by design (doesn't define any rx msgs)
 void default_rx_hook(const CANPacket_t *to_push) {
   UNUSED(to_push);
 }
+// GCOV_EXCL_STOP
 
 // *** no output safety mode ***
 

opendbc/safety/tests/test_body.py

@@ -38,9 +38,9 @@ def test_rx_hook(self):
     self.assertFalse(self.safety.get_controls_allowed())
     self.assertFalse(self.safety.get_vehicle_moving())
 
-    # controls allowed when we get MOTORS_DATA message
+    # controls allowed and vehicle moving when we get MOTORS_DATA message
     self.assertTrue(self._rx(self._torque_cmd_msg(0, 0)))
-    self.assertTrue(self.safety.get_vehicle_moving())  # always moving
+    self.assertFalse(self.safety.get_vehicle_moving())
     self.assertFalse(self.safety.get_controls_allowed())
 
     self.assertTrue(self._rx(self._motors_data_msg(0, 0)))