This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC2530: Bug in error handling of improperly sized packets in Zigbee Linux Gateway

Part Number: CC2530

The code enters an infinite loop when the packet size is wrong.

This is valid for all current versions of the gateway.

in tcp_client.c, remaining_len is not updated when it is invalid and therefore the client stays in the loop.

		while (remaining_len > 0)
		{
			if ((unsigned)remaining_len < sizeof(pkt_ptr->header))
			{
				UI_PRINT_LOG("%sERROR: Packet header incomplete. expected_len=%d, actual_len=%d", DARK_RED, sizeof(pkt_ptr->header), remaining_len);
			}
			else if (remaining_len < (pkt_ptr->header.len + 4))
			{
				UI_PRINT_LOG("%sERROR: Packet truncated. expected_len=%d, actual_len=%d", DARK_RED, (pkt_ptr->header.len + 4), remaining_len);
			}
			else
			{
   [...]

  • Hi le_top,

    Thank you for raising this issue.  Do you think it is enough to set remaining_len to zero during these conditions to break the loop or do you believe tcp_socket_event_handler should be modified such that a fail/error status is returned?

    Regards,
    Ryan