fix broken bogus-length check revealed by Deputy

author idgay <idgay>

Mon, 7 Aug 2006 21:52:53 +0000 (21:52 +0000)

committer idgay <idgay>

Mon, 7 Aug 2006 21:52:53 +0000 (21:52 +0000)
author idgay <idgay>
Mon, 7 Aug 2006 21:52:53 +0000 (21:52 +0000)
committer idgay <idgay>
Mon, 7 Aug 2006 21:52:53 +0000 (21:52 +0000)
diff --git a/tos/chips/cc1000/CC1000SendReceiveP.nc b/tos/chips/cc1000/CC1000SendReceiveP.nc

index ec2e8513b360658418f0b97169a959bac39fc896..a72f08cba46ca2de96c502ec7c8ec3a78efd2402 100644 (file)
--- a/tos/chips/cc1000/CC1000SendReceiveP.nc
+++ b/tos/chips/cc1000/CC1000SendReceiveP.nc
@@ -484,14 +484,10 @@ implementation
    void rxData(uint8_t in) {
      uint8_t nextByte;
      cc1000_header_t *rxHeader = getHeader(rxBufPtr);
-
-    // rxLength is the offset into a message_t at which the packet
-    // data ends: it is NOT equal to the number of bytes received,
-    // as there may be padding in the message_t before the packet.
-    uint8_t rxLength = rxHeader->length + offsetof(message_t, data);
+    uint8_t rxLength = rxHeader->length;
  
      // Reject invalid length packets
-    if (rxLength > TOSH_DATA_LENGTH + offsetof(message_t, data))
+    if (rxLength > TOSH_DATA_LENGTH)
        {
         // The packet's screwed up, so just dump it
         enterListenState();
@@ -503,6 +499,8 @@ implementation
      nextByte = rxShiftBuf >> f.rxBitOffset;
      ((uint8_t *)rxBufPtr)[count++] = nextByte;
  
+    // Adjust rxLength to correspond to the corresponding offset in message_t
+    rxLength += offsetof(message_t, data);
      if (count <= rxLength)
        runningCrc = crcByte(runningCrc, nextByte);
author	idgay <idgay>
	Mon, 7 Aug 2006 21:52:53 +0000 (21:52 +0000)
committer	idgay <idgay>
	Mon, 7 Aug 2006 21:52:53 +0000 (21:52 +0000)