deac
/
osd-contiki
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

CC26xx - fix misuse of len variable in read_frame 

read_frame was misuing the packet length in the following ways:
- returning non-zero even if buf_len is too short for the packet
- truncating the length to buf_len if len is too long then using the
  truncated (i.e. wrong) length to index into the buffer
- memcpying too many bytes (used buf_len instead of real length)

This commit fixes all of this and adds some code to report
on packet length errors (to match with cc2538 driver).
ico
Billy Kozak 2015-07-20 12:02:22 -06:00
parent ceb24f656e
commit feec05cdf2
1 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
cpu/cc26xx/dev/cc26xx-rf.c
View File

@ -1350,15 +1350,26 @@ read_frame(void *buf, unsigned short buf_len)
return 0;
}
if(!rx_read_entry[8]) {
if(rx_read_entry[8] < 4) {
PRINTF("RF: too short\n");
RIMESTATS_ADD(tooshort);
release_data_entry();
return 0;
}
memcpy(buf, (char *)&rx_read_entry[9], buf_len);
len = rx_read_entry[8] - 4;
/* Remove the footer */
len = MIN(buf_len, rx_read_entry[8] - 4);
if(len > buf_len) {
PRINTF("RF: too long\n");
RIMESTATS_ADD(toolong);
release_data_entry();
return 0;
}
memcpy(buf, (char *)&rx_read_entry[9], len);
rssi = (int8_t)rx_read_entry[9 + len + 2];