From 56a0a85ca4e14bef0fe21ac39a298674c6cec9a4 Mon Sep 17 00:00:00 2001
From: idgay <idgay>
Date: Mon, 7 Aug 2006 21:52:53 +0000
Subject: [PATCH] fix broken bogus-length check revealed by Deputy

---
 tos/chips/cc1000/CC1000SendReceiveP.nc | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/tos/chips/cc1000/CC1000SendReceiveP.nc b/tos/chips/cc1000/CC1000SendReceiveP.nc
index ec2e8513..a72f08cb 100644
--- a/tos/chips/cc1000/CC1000SendReceiveP.nc
+++ b/tos/chips/cc1000/CC1000SendReceiveP.nc
@@ -484,14 +484,10 @@ implementation
   void rxData(uint8_t in) {
     uint8_t nextByte;
     cc1000_header_t *rxHeader = getHeader(rxBufPtr);
-
-    // rxLength is the offset into a message_t at which the packet
-    // data ends: it is NOT equal to the number of bytes received,
-    // as there may be padding in the message_t before the packet.
-    uint8_t rxLength = rxHeader->length + offsetof(message_t, data);
+    uint8_t rxLength = rxHeader->length;
 
     // Reject invalid length packets
-    if (rxLength > TOSH_DATA_LENGTH + offsetof(message_t, data))
+    if (rxLength > TOSH_DATA_LENGTH)
       {
 	// The packet's screwed up, so just dump it
 	enterListenState();
@@ -503,6 +499,8 @@ implementation
     nextByte = rxShiftBuf >> f.rxBitOffset;
     ((uint8_t *)rxBufPtr)[count++] = nextByte;
 
+    // Adjust rxLength to correspond to the corresponding offset in message_t
+    rxLength += offsetof(message_t, data);
     if (count <= rxLength)
       runningCrc = crcByte(runningCrc, nextByte);
 
-- 
2.39.2