CC26xx - fix misuse of len variable in read_frame
read_frame was misuing the packet length in the following ways: - returning non-zero even if buf_len is too short for the packet - truncating the length to buf_len if len is too long then using the truncated (i.e. wrong) length to index into the buffer - memcpying too many bytes (used buf_len instead of real length) This commit fixes all of this and adds some code to report on packet length errors (to match with cc2538 driver).ico
parent
ceb24f656e
commit
feec05cdf2
|
@ -1350,15 +1350,26 @@ read_frame(void *buf, unsigned short buf_len)
|
|||
return 0;
|
||||
}
|
||||
|
||||
if(!rx_read_entry[8]) {
|
||||
|
||||
if(rx_read_entry[8] < 4) {
|
||||
PRINTF("RF: too short\n");
|
||||
RIMESTATS_ADD(tooshort);
|
||||
|
||||
release_data_entry();
|
||||
return 0;
|
||||
}
|
||||
|
||||
memcpy(buf, (char *)&rx_read_entry[9], buf_len);
|
||||
len = rx_read_entry[8] - 4;
|
||||
|
||||
/* Remove the footer */
|
||||
len = MIN(buf_len, rx_read_entry[8] - 4);
|
||||
if(len > buf_len) {
|
||||
PRINTF("RF: too long\n");
|
||||
RIMESTATS_ADD(toolong);
|
||||
|
||||
release_data_entry();
|
||||
return 0;
|
||||
}
|
||||
|
||||
memcpy(buf, (char *)&rx_read_entry[9], len);
|
||||
|
||||
rssi = (int8_t)rx_read_entry[9 + len + 2];
|
||||
|
||||
|
|
Loading…
Reference in New Issue