[riot-devel] at86rf2xx and PHR filtering

Wachtler, Axel Axel.Wachtler at atmel.com
Fri Apr 1 10:45:48 CEST 2016


> Most datasheets doesn't say anything what they filter on PHR or not.



The MSB in the PHR field is reserved, see at86rf230 DS:



[cid:image001.png at 01D18C02.AB62FEF0]



At and after RF231 this Bit could be sent by the transceiver and can then be seen at the receiver site as well.



Also the standard tells that this bit is reserved, so proper implementations needs to mask this out in order

to get the correct frame length at the receiving site.



Best Regards, Axel



> -----Original Message-----

> From: devel [mailto:devel-bounces at riot-os.org] On Behalf Of Alexander Aring

> Sent: Freitag, 1. April 2016 10:31

> To: devel at riot-os.org

> Subject: [riot-devel] at86rf2xx and PHR filtering

>

> Hi,

>

> I recentely talked with another 6lowpan linux developer about an ugly

> behaviour of at86rf2xx transceivers and I told him I could break many of nodes

> which use them because nobody really care about that while programming.

>

> The issue is that the len byte inside the PHR will not filtered by the at86rf2xx

> transceivers, so the length could be above 127. Also remember this can happen

> when the CRC is still correct. So I can mostly overwrite some stack space, when

> the buffer is allocated on stack at first.

>

> Most datasheets doesn't say anything what they filter on PHR or not.

>

> In conclusion we introduce inside the Linux kernel [0] and all drivers will check

> the length field when receiving at first.

>

> In case of at86rf230 driver we check the len field at first, if invalid then we

> read out the full frame buffer (interesting for monitor interfaces and

> mac802154/etc should filter them correctly anyway if it's invalid), just avoid

> copying above 127 because array boundaries. See [1].

>

> btw: We read also the full framebuffer always because the RX_SAFE_MODE

> functionality from at86rf2xx transceivers. But then we check on a valid length

> field.

>

> The developer told me to tell that RIOT, so I just want to leave a note here and I

> don't know if RIOT does filtering on that or not.

>

> - Alex

>

> [0] http://lxr.free-electrons.com/source/include/linux/ieee802154.h#L263

> [1] http://lxr.free-<http://lxr.free-electrons.com/source/drivers/net/ieee802154/at86rf230.c#L704>

> electrons.com/source/drivers/net/ieee802154/at86rf230.c#L704<http://lxr.free-electrons.com/source/drivers/net/ieee802154/at86rf230.c#L704>

> _______________________________________________

> devel mailing list

> devel at riot-os.org<mailto:devel at riot-os.org>

> https://lists.riot-os.org/mailman/listinfo/devel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riot-os.org/pipermail/devel/attachments/20160401/d6a17899/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 22363 bytes
Desc: image001.png
URL: <http://lists.riot-os.org/pipermail/devel/attachments/20160401/d6a17899/attachment-0001.png>


More information about the devel mailing list