deac/osd-contiki
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

CC26xx - fix misuse of len variable in read_frame

Browse source 
read_frame was misuing the packet length in the following ways:
- returning non-zero even if buf_len is too short for the packet
- truncating the length to buf_len if len is too long then using the
  truncated (i.e. wrong) length to index into the buffer
- memcpying too many bytes (used buf_len instead of real length)

This commit fixes all of this and adds some code to report
on packet length errors (to match with cc2538 driver).
This commit is contained in:
Billy Kozak 2015-07-20 12:02:22 -06:00
parent ceb24f656e
commit feec05cdf2
1 changed files with 15 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
cpu/cc26xx/dev/cc26xx-rf.c
View file

@ -1350,15 +1350,26 @@ read_frame(void *buf, unsigned short buf_len)
return 0; return 0;
} }
if(!rx_read_entry[8]) {
if(rx_read_entry[8] < 4) {
PRINTF("RF: too short\n");
RIMESTATS_ADD(tooshort);
release_data_entry(); release_data_entry();
return 0; return 0;
} }
memcpy(buf, (char *)&rx_read_entry[9], buf_len); len = rx_read_entry[8] - 4;
/* Remove the footer */ if(len > buf_len) {
len = MIN(buf_len, rx_read_entry[8] - 4); PRINTF("RF: too long\n");
RIMESTATS_ADD(toolong);
release_data_entry();
return 0;
}
memcpy(buf, (char *)&rx_read_entry[9], len);
rssi = (int8_t)rx_read_entry[9 + len + 2]; rssi = (int8_t)rx_read_entry[9 + len + 2];