[riot-devel] at86rf2xx and PHR filtering

Alexander Aring alex.aring at gmail.com
Fri Apr 1 10:31:11 CEST 2016


I recentely talked with another 6lowpan linux developer about an ugly
behaviour of at86rf2xx transceivers and I told him I could break many of
nodes which use them because nobody really care about that while

The issue is that the len byte inside the PHR will not filtered by the
at86rf2xx transceivers, so the length could be above 127. Also remember
this can happen when the CRC is still correct. So I can mostly overwrite
some stack space, when the buffer is allocated on stack at first.

Most datasheets doesn't say anything what they filter on PHR or not.

In conclusion we introduce inside the Linux kernel [0] and all drivers
will check the length field when receiving at first.

In case of at86rf230 driver we check the len field at first, if invalid
then we read out the full frame buffer (interesting for monitor
interfaces and mac802154/etc should filter them correctly anyway if it's
invalid), just avoid copying above 127 because array boundaries. See [1].

btw: We read also the full framebuffer always because the RX_SAFE_MODE
functionality from at86rf2xx transceivers. But then we check on a valid
length field.

The developer told me to tell that RIOT, so I just want to leave a note
here and I don't know if RIOT does filtering on that or not.

- Alex

[0] http://lxr.free-electrons.com/source/include/linux/ieee802154.h#L263
[1] http://lxr.free-electrons.com/source/drivers/net/ieee802154/at86rf230.c#L704

More information about the devel mailing list