CC26xx - fix misuse of len variable in read_frame
read_frame was misuing the packet length in the following ways: - returning non-zero even if buf_len is too short for the packet - truncating the length to buf_len if len is too long then using the truncated (i.e. wrong) length to index into the buffer - memcpying too many bytes (used buf_len instead of real length) This commit fixes all of this and adds some code to report on packet length errors (to match with cc2538 driver).
This commit is contained in:
parent
ceb24f656e
commit
feec05cdf2
1 changed files with 15 additions and 4 deletions
|
@ -1350,15 +1350,26 @@ read_frame(void *buf, unsigned short buf_len)
|
|||
return 0;
|
||||
}
|
||||
|
||||
if(!rx_read_entry[8]) {
|
||||
|
||||
if(rx_read_entry[8] < 4) {
|
||||
PRINTF("RF: too short\n");
|
||||
RIMESTATS_ADD(tooshort);
|
||||
|
||||
release_data_entry();
|
||||
return 0;
|
||||
}
|
||||
|
||||
memcpy(buf, (char *)&rx_read_entry[9], buf_len);
|
||||
len = rx_read_entry[8] - 4;
|
||||
|
||||
/* Remove the footer */
|
||||
len = MIN(buf_len, rx_read_entry[8] - 4);
|
||||
if(len > buf_len) {
|
||||
PRINTF("RF: too long\n");
|
||||
RIMESTATS_ADD(toolong);
|
||||
|
||||
release_data_entry();
|
||||
return 0;
|
||||
}
|
||||
|
||||
memcpy(buf, (char *)&rx_read_entry[9], len);
|
||||
|
||||
rssi = (int8_t)rx_read_entry[9 + len + 2];
|
||||
|
||||
|
|
Loading…
Reference in a new issue