adafruit-mirror/zephyr
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 8

drivers: ieee802154_nrf5: Add payload length check on TX

Browse source 
In case upper layer does not follow the convention, and the net_pkt
provided to the nRF 15.4 driver had a payload larger than the maximum
payload size of an individual 15.4 frame, the driver would end up with
buffer overflow.

Fix this by adding an extra payload_len check before attempting to copy
the payload to the internal buffer.

Signed-off-by: Robert Lubos <robert.lubos@nordicsemi.no>
This commit is contained in:
Robert Lubos 2023-07-18 15:52:11 +02:00 committed by Carles Cufí
parent 7daaad454a
commit cf58d11f8f
1 changed files with 5 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
drivers/ieee802154/ieee802154_nrf5.c
View file

@ -582,6 +582,11 @@ static int nrf5_tx(const struct device *dev,
uint8_t *payload = frag->data;
bool ret = true;
if (payload_len > NRF5_PSDU_LENGTH) {
LOG_ERR("Payload too large: %d", payload_len);
return -EMSGSIZE;
}
LOG_DBG("%p (%u)", payload, payload_len);
nrf5_radio->tx_psdu[0] = payload_len + NRF5_FCS_LENGTH;