CC26xx - fix misuse of len variable in read_frame

read_frame was misuing the packet length in the following ways:
- returning non-zero even if buf_len is too short for the packet
- truncating the length to buf_len if len is too long then using the
  truncated (i.e. wrong) length to index into the buffer
- memcpying too many bytes (used buf_len instead of real length)

This commit fixes all of this and adds some code to report
on packet length errors (to match with cc2538 driver).
This commit is contained in:
Billy Kozak 2015-07-20 12:02:22 -06:00
parent ceb24f656e
commit feec05cdf2

View file

@ -1350,15 +1350,26 @@ read_frame(void *buf, unsigned short buf_len)
return 0;
}
if(!rx_read_entry[8]) {
if(rx_read_entry[8] < 4) {
PRINTF("RF: too short\n");
RIMESTATS_ADD(tooshort);
release_data_entry();
return 0;
}
memcpy(buf, (char *)&rx_read_entry[9], buf_len);
len = rx_read_entry[8] - 4;
/* Remove the footer */
len = MIN(buf_len, rx_read_entry[8] - 4);
if(len > buf_len) {
PRINTF("RF: too long\n");
RIMESTATS_ADD(toolong);
release_data_entry();
return 0;
}
memcpy(buf, (char *)&rx_read_entry[9], len);
rssi = (int8_t)rx_read_entry[9 + len + 2];