atsamr34_long_range_p2p icon indicating copy to clipboard operation
atsamr34_long_range_p2p copied to clipboard
verified publisher icon MicrochipTech

Possible Rx Packet buffer over-run.

Open urgent-canadian opened this issue 2 years ago • 0 comments

In WLR089U0_P2P_v1.05/src/ASF/thirdparty/wireless/LoRa_P2P/source/mimac/phy/sx1276/phy.c :: radioCallback()

  • The variable RxBank is initialized with the value 0xFF
  • During the RADIO_RX_DONE_CALLBACK or RADIO_RX_TIMEOUT_CALLBACK cases = The loop searches for an empty RxBuffer array element. ie. PayloadLen==0 = If all array elements are full then the value of variable RxBank remains 0xFF = In error, the RxBank index is still used and finds an invalid destination in memory to copy the received packet data. Stomp on memeory, stomp on memory,... stomp stomp stomp.
    ie. RxBuffer[RxBank].Payload is really RxBuffer[0xFF].Payload but that array is only BANK_SIZE elements (RxBuffer[4])

Bummer. That's going to randomly break and bunch of stuff...

Just a heads-up for other developers who may be fighting random crashes etc....

Cheers Jeff

urgent-canadian avatar Jan 18 '24 17:01 urgent-canadian