From 92784a2932a6635b695cc832f3dfc706ceee25d7 Mon Sep 17 00:00:00 2001 From: Robert Lubos Date: Tue, 18 Jul 2023 15:52:11 +0200 Subject: [PATCH 1/2] drivers: ieee802154_nrf5: Add payload length check on TX In case upper layer does not follow the convention, and the net_pkt provided to the nRF 15.4 driver had a payload larger than the maximum payload size of an individual 15.4 frame, the driver would end up with buffer overflow. Fix this by adding an extra payload_len check before attempting to copy the payload to the internal buffer. Signed-off-by: Robert Lubos --- drivers/ieee802154/ieee802154_nrf5.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/ieee802154/ieee802154_nrf5.c b/drivers/ieee802154/ieee802154_nrf5.c index 3c69d5fb4392b..bc64a4b3e4bf6 100644 --- a/drivers/ieee802154/ieee802154_nrf5.c +++ b/drivers/ieee802154/ieee802154_nrf5.c @@ -582,6 +582,11 @@ static int nrf5_tx(const struct device *dev, uint8_t *payload = frag->data; bool ret = true; + if (payload_len > NRF5_PSDU_LENGTH) { + LOG_ERR("Payload too large: %d", payload_len); + return -EMSGSIZE; + } + LOG_DBG("%p (%u)", payload, payload_len); nrf5_radio->tx_psdu[0] = payload_len + NRF5_FCS_LENGTH; From 57450d6708ad0df629aa6ebe7a6621d602fdfc51 Mon Sep 17 00:00:00 2001 From: Robert Lubos Date: Wed, 19 Jul 2023 09:15:08 +0200 Subject: [PATCH 2/2] drivers: ieee802154_nrf5: Use generic symbols for packet size Use generic symbols defined in ieee802154.h for packet/FCS size instead of redefining them in the driver header. Signed-off-by: Robert Lubos --- drivers/ieee802154/ieee802154_nrf5.c | 8 ++++---- drivers/ieee802154/ieee802154_nrf5.h | 4 +--- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/drivers/ieee802154/ieee802154_nrf5.c b/drivers/ieee802154/ieee802154_nrf5.c index bc64a4b3e4bf6..d77b961470941 100644 --- a/drivers/ieee802154/ieee802154_nrf5.c +++ b/drivers/ieee802154/ieee802154_nrf5.c @@ -150,7 +150,7 @@ static void nrf5_rx_thread(void *arg1, void *arg2, void *arg3) if (IS_ENABLED(CONFIG_IEEE802154_NRF5_FCS_IN_LENGTH)) { pkt_len = rx_frame->psdu[0]; } else { - pkt_len = rx_frame->psdu[0] - NRF5_FCS_LENGTH; + pkt_len = rx_frame->psdu[0] - IEEE802154_FCS_LENGTH; } #if defined(CONFIG_NET_BUF_DATA_SIZE) @@ -378,7 +378,7 @@ static int handle_ack(struct nrf5_802154_data *nrf5_radio) if (IS_ENABLED(CONFIG_IEEE802154_NRF5_FCS_IN_LENGTH)) { ack_len = nrf5_radio->ack_frame.psdu[0]; } else { - ack_len = nrf5_radio->ack_frame.psdu[0] - NRF5_FCS_LENGTH; + ack_len = nrf5_radio->ack_frame.psdu[0] - IEEE802154_FCS_LENGTH; } ack_pkt = net_pkt_rx_alloc_with_buffer(nrf5_radio->iface, ack_len, @@ -582,14 +582,14 @@ static int nrf5_tx(const struct device *dev, uint8_t *payload = frag->data; bool ret = true; - if (payload_len > NRF5_PSDU_LENGTH) { + if (payload_len > IEEE802154_MTU) { LOG_ERR("Payload too large: %d", payload_len); return -EMSGSIZE; } LOG_DBG("%p (%u)", payload, payload_len); - nrf5_radio->tx_psdu[0] = payload_len + NRF5_FCS_LENGTH; + nrf5_radio->tx_psdu[0] = payload_len + IEEE802154_FCS_LENGTH; memcpy(nrf5_radio->tx_psdu + 1, payload, payload_len); /* Reset semaphore in case ACK was received after timeout */ diff --git a/drivers/ieee802154/ieee802154_nrf5.h b/drivers/ieee802154/ieee802154_nrf5.h index 482e4a2e82af3..81c71721dda46 100644 --- a/drivers/ieee802154/ieee802154_nrf5.h +++ b/drivers/ieee802154/ieee802154_nrf5.h @@ -10,8 +10,6 @@ #include -#define NRF5_FCS_LENGTH (2) -#define NRF5_PSDU_LENGTH (125) #define NRF5_PHR_LENGTH (1) struct nrf5_802154_rx_frame { @@ -61,7 +59,7 @@ struct nrf5_802154_data { /* TX buffer. First byte is PHR (length), remaining bytes are * MPDU data. */ - uint8_t tx_psdu[NRF5_PHR_LENGTH + NRF5_PSDU_LENGTH + NRF5_FCS_LENGTH]; + uint8_t tx_psdu[NRF5_PHR_LENGTH + IEEE802154_MAX_PHY_PACKET_SIZE]; /* TX result, updated in radio transmit callbacks. */ uint8_t tx_result;