fix:

Signed-off-by: Haobo Gu <haobogu@outlook.com>

Author: HaoboGu

rmk-types/src/combo.rs

@@ -28,11 +28,9 @@ pub struct Combo {
 }
 
 impl MaxSize for Combo {
-    const POSTCARD_MAX_SIZE: usize = KeyAction::POSTCARD_MAX_SIZE * COMBO_SIZE
-        + crate::varint_max_size(COMBO_SIZE)
+    const POSTCARD_MAX_SIZE: usize = crate::heapless_vec_max_size::<KeyAction, COMBO_SIZE>()
         + KeyAction::POSTCARD_MAX_SIZE
-        + 1 // Option<u8> tag
-        + u8::POSTCARD_MAX_SIZE;
+        + Option::<u8>::POSTCARD_MAX_SIZE;
 }
 
 impl Combo {

rmk-types/src/lib.rs

@@ -57,9 +57,21 @@ pub(crate) const fn varint_max_size(max_n: usize) -> usize {
     roundup_bits / BITS_PER_VARINT_BYTE
 }
 
+/// Worst-case postcard-encoded size of `heapless::Vec<T, N>`:
+/// every element at its own max, plus the widest varint for the length prefix.
+///
+/// Use this in manual `MaxSize` impls for structs whose fields contain
+/// `heapless::Vec<T, N>`, since `#[derive(MaxSize)]` doesn't support `heapless::Vec`.
+/// TODO: Use derived `MaxSize` after postcard updates its heapless version.
+pub(crate) const fn heapless_vec_max_size<T: postcard::experimental::max_size::MaxSize, const N: usize>() -> usize {
+    T::POSTCARD_MAX_SIZE * N + varint_max_size(N)
+}
+
 #[cfg(test)]
 mod tests {
-    use super::varint_max_size;
+    use heapless::Vec;
+
+    use super::{heapless_vec_max_size, varint_max_size};
 
     /// Validate varint_max_size against known postcard varint encoding sizes
     /// and cross-check with actual postcard serialization.
@@ -86,4 +98,26 @@ mod tests {
             );
         }
     }
+
+    /// Worst-case `Vec<u32, 8>` (every element at `u32::MAX`, max-width varint
+    /// length prefix) must encode to exactly `heapless_vec_max_size::<u32, 8>()`.
+    #[test]
+    fn heapless_vec_max_size_matches_postcard() {
+        let mut v: Vec<u32, 8> = Vec::new();
+        for _ in 0..8 {
+            v.push(u32::MAX).unwrap();
+        }
+        let mut buf = [0u8; 64];
+        let bytes = postcard::to_slice(&v, &mut buf).unwrap();
+        assert_eq!(
+            bytes.len(),
+            heapless_vec_max_size::<u32, 8>(),
+            "tight bound: 8 × u32::MAX + varint(8)",
+        );
+
+        // Empty Vec is below the bound (loose check).
+        let empty: Vec<u32, 8> = Vec::new();
+        let bytes = postcard::to_slice(&empty, &mut buf).unwrap();
+        assert!(bytes.len() <= heapless_vec_max_size::<u32, 8>());
+    }
 }

rmk-types/src/morse.rs

@@ -282,9 +282,11 @@ pub struct Morse {
 }
 
 impl MaxSize for Morse {
-    const POSTCARD_MAX_SIZE: usize = MorseProfile::POSTCARD_MAX_SIZE
-        + (<(u16, Action)>::POSTCARD_MAX_SIZE) * MORSE_SIZE
-        + crate::varint_max_size(MORSE_SIZE);
+    // The custom serializer in `morse_actions_serde` (below) emits the
+    // `LinearMap` as `Vec<(u16, Action), MORSE_SIZE>` on the wire — keep that
+    // shape in sync with the helper type parameter here.
+    const POSTCARD_MAX_SIZE: usize =
+        MorseProfile::POSTCARD_MAX_SIZE + crate::heapless_vec_max_size::<(u16, Action), MORSE_SIZE>();
 }
 
 #[cfg(feature = "defmt")]

rmk-types/src/protocol/rmk/combo.rs

@@ -41,8 +41,7 @@ pub struct SetComboBulkRequest {
 
 #[cfg(feature = "bulk")]
 impl MaxSize for SetComboBulkRequest {
-    const POSTCARD_MAX_SIZE: usize =
-        u8::POSTCARD_MAX_SIZE + <Combo>::POSTCARD_MAX_SIZE * BULK_SIZE + crate::varint_max_size(BULK_SIZE);
+    const POSTCARD_MAX_SIZE: usize = u8::POSTCARD_MAX_SIZE + crate::heapless_vec_max_size::<Combo, BULK_SIZE>();
 }
 
 /// Bulk response for getting multiple combos at once.
@@ -54,14 +53,27 @@ pub struct GetComboBulkResponse {
 
 #[cfg(feature = "bulk")]
 impl MaxSize for GetComboBulkResponse {
-    const POSTCARD_MAX_SIZE: usize = <Combo>::POSTCARD_MAX_SIZE * BULK_SIZE + crate::varint_max_size(BULK_SIZE);
+    const POSTCARD_MAX_SIZE: usize = crate::heapless_vec_max_size::<Combo, BULK_SIZE>();
 }
 
 #[cfg(test)]
 mod tests {
     use super::*;
     use crate::action::KeyAction;
-    use crate::protocol::rmk::test_utils::round_trip;
+    use crate::constants::COMBO_SIZE;
+    use crate::protocol::rmk::test_utils::{assert_max_size_bound, round_trip};
+
+    /// Build a `Combo` filled to `COMBO_SIZE` actions plus a `Some` layer —
+    /// the worst case for the manual `MaxSize` impl on `Combo`.
+    fn full_combo() -> Combo {
+        let actions = core::iter::repeat_n(
+            KeyAction::Single(crate::action::Action::Key(crate::keycode::KeyCode::Hid(
+                crate::keycode::HidKeyCode::A,
+            ))),
+            COMBO_SIZE,
+        );
+        Combo::new(actions, KeyAction::No, Some(u8::MAX))
+    }
 
     #[test]
     fn round_trip_combo() {
@@ -76,4 +88,39 @@ mod tests {
             config: Combo::new([KeyAction::No], KeyAction::No, Some(1)),
         });
     }
+
+    #[test]
+    fn round_trip_combo_max_capacity() {
+        let c = full_combo();
+        assert_eq!(c.actions.len(), COMBO_SIZE);
+        round_trip(&c);
+        assert_max_size_bound(&c);
+    }
+
+    #[cfg(feature = "bulk")]
+    #[test]
+    fn round_trip_set_combo_bulk_request_max_capacity() {
+        let mut configs: Vec<Combo, BULK_SIZE> = Vec::new();
+        for _ in 0..BULK_SIZE {
+            configs.push(full_combo()).unwrap();
+        }
+        let req = SetComboBulkRequest {
+            start_index: u8::MAX,
+            configs,
+        };
+        round_trip(&req);
+        assert_max_size_bound(&req);
+    }
+
+    #[cfg(feature = "bulk")]
+    #[test]
+    fn round_trip_get_combo_bulk_response_max_capacity() {
+        let mut configs: Vec<Combo, BULK_SIZE> = Vec::new();
+        for _ in 0..BULK_SIZE {
+            configs.push(full_combo()).unwrap();
+        }
+        let resp = GetComboBulkResponse { configs };
+        round_trip(&resp);
+        assert_max_size_bound(&resp);
+    }
 }

rmk-types/src/protocol/rmk/keymap.rs

@@ -52,7 +52,7 @@ pub struct GetKeymapBulkResponse {
 
 #[cfg(feature = "bulk")]
 impl MaxSize for GetKeymapBulkResponse {
-    const POSTCARD_MAX_SIZE: usize = KeyAction::POSTCARD_MAX_SIZE * BULK_SIZE + crate::varint_max_size(BULK_SIZE);
+    const POSTCARD_MAX_SIZE: usize = crate::heapless_vec_max_size::<KeyAction, BULK_SIZE>();
 }
 
 /// Request payload for `SetKeymapBulk` endpoint.
@@ -71,15 +71,33 @@ pub struct SetKeymapBulkRequest {
 
 #[cfg(feature = "bulk")]
 impl MaxSize for SetKeymapBulkRequest {
-    const POSTCARD_MAX_SIZE: usize = 3 // layer + start_row + start_col
-        + KeyAction::POSTCARD_MAX_SIZE * BULK_SIZE
-        + crate::varint_max_size(BULK_SIZE);
+    // 3 bytes for layer + start_row + start_col (each `u8::POSTCARD_MAX_SIZE == 1`).
+    const POSTCARD_MAX_SIZE: usize = 3 + crate::heapless_vec_max_size::<KeyAction, BULK_SIZE>();
 }
 
 #[cfg(test)]
 mod tests {
     use super::*;
     use crate::protocol::rmk::test_utils::round_trip;
+    #[cfg(feature = "bulk")]
+    use crate::{
+        action::Action,
+        keycode::{HidKeyCode, KeyCode},
+        modifier::ModifierCombination,
+        morse::MorseProfile,
+        protocol::rmk::test_utils::assert_max_size_bound,
+    };
+
+    /// Largest-encoded `KeyAction` variant: `TapHold` wraps two multi-field
+    /// `Action`s and a `MorseProfile(u32)`, many times the size of
+    /// `KeyAction::No`. Using it in max-capacity bulk tests makes
+    /// `assert_max_size_bound` exercise both the per-element and the
+    /// length-prefix dimensions of the bound.
+    #[cfg(feature = "bulk")]
+    fn worst_key_action() -> KeyAction {
+        let action = Action::KeyWithModifier(KeyCode::Hid(HidKeyCode::A), ModifierCombination::new());
+        KeyAction::TapHold(action, action, MorseProfile::const_default())
+    }
 
     #[test]
     fn round_trip_key_position() {
@@ -125,4 +143,33 @@ mod tests {
             actions,
         });
     }
+
+    #[cfg(feature = "bulk")]
+    #[test]
+    fn round_trip_set_keymap_bulk_request_max_capacity() {
+        let mut actions: Vec<KeyAction, BULK_SIZE> = Vec::new();
+        for _ in 0..BULK_SIZE {
+            actions.push(worst_key_action()).unwrap();
+        }
+        let req = SetKeymapBulkRequest {
+            layer: u8::MAX,
+            start_row: u8::MAX,
+            start_col: u8::MAX,
+            actions,
+        };
+        round_trip(&req);
+        assert_max_size_bound(&req);
+    }
+
+    #[cfg(feature = "bulk")]
+    #[test]
+    fn round_trip_get_keymap_bulk_response_max_capacity() {
+        let mut actions: Vec<KeyAction, BULK_SIZE> = Vec::new();
+        for _ in 0..BULK_SIZE {
+            actions.push(worst_key_action()).unwrap();
+        }
+        let resp = GetKeymapBulkResponse { actions };
+        round_trip(&resp);
+        assert_max_size_bound(&resp);
+    }
 }

rmk-types/src/protocol/rmk/macro_data.rs

@@ -14,7 +14,7 @@ pub struct MacroData {
 }
 
 impl MaxSize for MacroData {
-    const POSTCARD_MAX_SIZE: usize = MACRO_DATA_SIZE + crate::varint_max_size(MACRO_DATA_SIZE);
+    const POSTCARD_MAX_SIZE: usize = crate::heapless_vec_max_size::<u8, MACRO_DATA_SIZE>();
 }
 
 /// Request payload for `GetMacro`.
@@ -41,7 +41,7 @@ pub struct SetMacroRequest {
 #[cfg(test)]
 mod tests {
     use super::*;
-    use crate::protocol::rmk::test_utils::round_trip;
+    use crate::protocol::rmk::test_utils::{assert_max_size_bound, round_trip};
 
     #[test]
     fn round_trip_macro_data() {
@@ -56,7 +56,9 @@ mod tests {
         for i in 0..MACRO_DATA_SIZE {
             data.push(i as u8).unwrap();
         }
-        round_trip(&MacroData { data });
+        let full = MacroData { data };
+        round_trip(&full);
+        assert_max_size_bound(&full);
     }
 
     #[test]

rmk-types/src/protocol/rmk/mod.rs

@@ -86,6 +86,7 @@ pub type RmkResult = Result<(), RmkError>;
 
 #[cfg(test)]
 pub(crate) mod test_utils {
+    use postcard::experimental::max_size::MaxSize;
     use serde::{Deserialize, Serialize};
 
     /// Postcard round-trip helper used by every submodule's tests.
@@ -99,6 +100,24 @@ pub(crate) mod test_utils {
         assert_eq!(&decoded, val);
         decoded
     }
+
+    /// Assert that `val` serializes within its declared `POSTCARD_MAX_SIZE`.
+    /// Use alongside `round_trip` in max-capacity tests to catch under-counted
+    /// manual `MaxSize` impls (the dangerous bug — buffer overflows downstream).
+    pub fn assert_max_size_bound<T>(val: &T)
+    where
+        T: Serialize + MaxSize,
+    {
+        let mut buf = [0u8; 4096];
+        let bytes = postcard::to_slice(val, &mut buf).expect("serialize");
+        assert!(
+            bytes.len() <= T::POSTCARD_MAX_SIZE,
+            "{} encoded to {} bytes but POSTCARD_MAX_SIZE = {}",
+            core::any::type_name::<T>(),
+            bytes.len(),
+            T::POSTCARD_MAX_SIZE,
+        );
+    }
 }
 
 // ---------------------------------------------------------------------------

rmk-types/src/protocol/rmk/morse.rs

@@ -41,8 +41,7 @@ pub struct SetMorseBulkRequest {
 
 #[cfg(feature = "bulk")]
 impl MaxSize for SetMorseBulkRequest {
-    const POSTCARD_MAX_SIZE: usize =
-        u8::POSTCARD_MAX_SIZE + <Morse>::POSTCARD_MAX_SIZE * BULK_SIZE + crate::varint_max_size(BULK_SIZE);
+    const POSTCARD_MAX_SIZE: usize = u8::POSTCARD_MAX_SIZE + crate::heapless_vec_max_size::<Morse, BULK_SIZE>();
 }
 
 /// Bulk response for getting multiple morse configs at once.
@@ -54,15 +53,41 @@ pub struct GetMorseBulkResponse {
 
 #[cfg(feature = "bulk")]
 impl MaxSize for GetMorseBulkResponse {
-    const POSTCARD_MAX_SIZE: usize = <Morse>::POSTCARD_MAX_SIZE * BULK_SIZE + crate::varint_max_size(BULK_SIZE);
+    const POSTCARD_MAX_SIZE: usize = crate::heapless_vec_max_size::<Morse, BULK_SIZE>();
 }
 
 #[cfg(test)]
 mod tests {
     use super::*;
     use crate::action::Action;
+    use crate::constants::MORSE_SIZE;
+    use crate::keycode::{HidKeyCode, KeyCode};
+    use crate::modifier::ModifierCombination;
     use crate::morse::{MorsePattern, MorseProfile};
-    use crate::protocol::rmk::test_utils::round_trip;
+    use crate::protocol::rmk::test_utils::{assert_max_size_bound, round_trip};
+
+    /// Build a `Morse` whose `actions` `LinearMap` is filled to `MORSE_SIZE`
+    /// distinct entries, each using a multi-field `Action` variant so both the
+    /// entry count *and* the per-entry encoded size meaningfully exercise the
+    /// manual `MaxSize` impl. `MorsePattern::from_u16(0)` panics (the empty
+    /// pattern is `0b1`), so patterns start at 1.
+    fn full_morse() -> Morse {
+        // `KeyWithModifier` carries a nested `KeyCode` enum + a `ModifierCombination`
+        // bitfield, so it encodes to several bytes rather than the 1 byte of
+        // `Action::No` — enough slack for `assert_max_size_bound` to catch a
+        // per-element under-count.
+        let action = Action::KeyWithModifier(KeyCode::Hid(HidKeyCode::A), ModifierCombination::new());
+        let mut m = Morse {
+            profile: MorseProfile::const_default(),
+            actions: heapless::LinearMap::new(),
+        };
+        for i in 0..MORSE_SIZE {
+            m.actions
+                .insert(MorsePattern::from_u16((i + 1) as u16), action)
+                .unwrap();
+        }
+        m
+    }
 
     #[test]
     fn round_trip_morse() {
@@ -84,4 +109,39 @@ mod tests {
             config: morse,
         });
     }
+
+    #[test]
+    fn round_trip_morse_max_capacity() {
+        let m = full_morse();
+        assert_eq!(m.actions.len(), MORSE_SIZE);
+        round_trip(&m);
+        assert_max_size_bound(&m);
+    }
+
+    #[cfg(feature = "bulk")]
+    #[test]
+    fn round_trip_set_morse_bulk_request_max_capacity() {
+        let mut configs: Vec<Morse, BULK_SIZE> = Vec::new();
+        for _ in 0..BULK_SIZE {
+            configs.push(full_morse()).unwrap();
+        }
+        let req = SetMorseBulkRequest {
+            start_index: u8::MAX,
+            configs,
+        };
+        round_trip(&req);
+        assert_max_size_bound(&req);
+    }
+
+    #[cfg(feature = "bulk")]
+    #[test]
+    fn round_trip_get_morse_bulk_response_max_capacity() {
+        let mut configs: Vec<Morse, BULK_SIZE> = Vec::new();
+        for _ in 0..BULK_SIZE {
+            configs.push(full_morse()).unwrap();
+        }
+        let resp = GetMorseBulkResponse { configs };
+        round_trip(&resp);
+        assert_max_size_bound(&resp);
+    }
 }