From feec05cdf21af047820987eb4217e2936045c86b Mon Sep 17 00:00:00 2001 From: Billy Kozak Date: Mon, 20 Jul 2015 12:02:22 -0600 Subject: [PATCH] CC26xx - fix misuse of len variable in read_frame read_frame was misuing the packet length in the following ways: - returning non-zero even if buf_len is too short for the packet - truncating the length to buf_len if len is too long then using the truncated (i.e. wrong) length to index into the buffer - memcpying too many bytes (used buf_len instead of real length) This commit fixes all of this and adds some code to report on packet length errors (to match with cc2538 driver). --- cpu/cc26xx/dev/cc26xx-rf.c | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/cpu/cc26xx/dev/cc26xx-rf.c b/cpu/cc26xx/dev/cc26xx-rf.c index efeee8450..8514b7e79 100644 --- a/cpu/cc26xx/dev/cc26xx-rf.c +++ b/cpu/cc26xx/dev/cc26xx-rf.c @@ -1350,15 +1350,26 @@ read_frame(void *buf, unsigned short buf_len) return 0; } - if(!rx_read_entry[8]) { + + if(rx_read_entry[8] < 4) { + PRINTF("RF: too short\n"); + RIMESTATS_ADD(tooshort); + release_data_entry(); return 0; } - memcpy(buf, (char *)&rx_read_entry[9], buf_len); + len = rx_read_entry[8] - 4; - /* Remove the footer */ - len = MIN(buf_len, rx_read_entry[8] - 4); + if(len > buf_len) { + PRINTF("RF: too long\n"); + RIMESTATS_ADD(toolong); + + release_data_entry(); + return 0; + } + + memcpy(buf, (char *)&rx_read_entry[9], len); rssi = (int8_t)rx_read_entry[9 + len + 2];