• State Resolved
  • Locked Locked
  • Replies 7 replies
  • Subscribers 56 subscribers
  • Views 516 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

CC2652R: Issue about ZDP_TmpBuf size in ZDP_ParentAnnce

YiKai Chen
Guru 735695 points
Part Number: CC2652R


We find there might be issue about ZDP_TmpBuf size in ZDP_ParentAnnce.

1. ZDP_Buf[ ZDP_BUF_SZ ], ZDP_BUF_SZ=80, *ZDP_TmpBuf = ZDP_Buf+1 and this means ZDP_TmpBuf only has 79 in size.

2. If the code goes into the following for-loop, it will copy 80 bytes to *pBuf = ZDP_TmpBuf and that will out of the ZDP_TmpBuf boundary.

  for ( i = 0; i < MAX_PARENT_ANNCE_CHILD; i++ )
  {
    pBuf = osal_cpyExtAddr( pBuf, pChildInfo[childIndex].extAddr );
    childIndex++;

    len += Z_EXTADDR_LEN;

    if ( childIndex == numberOfChildren )
    {
      pBuf = numOfChild;
      *pBuf = i + 1;
      // All childs are taken, restart index and go out
      childIndex = 0;
      return fillAndSend( TransSeq, dstAddr, clusterID, len );
    }
  }

We think this will cause problem. or , Can you help to verify this issue?

  • 0
    Genius 5390 points

    The perfect solution is like this

    #define ZDP_BUF_SZ          82 //80

...


afStatus_t ZDP_ParentAnnce( uint8_t *TransSeq,
                            zAddrType_t *dstAddr,
                            uint8_t numberOfChildren,
                            uint8_t *childInfo,
                            cId_t clusterID,
                            uint8_t SecurityEnable )
{
  uint8_t *pBuf = ZDP_TmpBuf;
  ZDO_ChildInfo_t *pChildInfo;
  uint8_t i, len;
  uint8_t *numOfChild;
  uint8_t maxParentAnnceChild = MAX_PARENT_ANNCE_CHILD; //luoyiming fixed at 2020-02-27

  (void)SecurityEnable;  // Intentionally unreferenced parameter

  pChildInfo = (ZDO_ChildInfo_t *)childInfo;

  if ( dstAddr->addrMode == AddrBroadcast )
  {
    // Make sure is sent to 0xFFFC
    dstAddr->addr.shortAddr = NWK_BROADCAST_SHORTADDR_DEVZCZR;
  }
  len = 1;
  if ( clusterID == Parent_annce_rsp )
  {
    // + Status Byte
    len += 1;
    // Set the status bit to success
    *pBuf++ = 0;
    // 79 byte of ZDP_TmpBuf is not enough, fixed by luoyiming 2020-02-27
    maxParentAnnceChild -= 1;
  }

  numOfChild = pBuf;
  *pBuf++ = numberOfChildren;

  for ( i = 0; i < maxParentAnnceChild; i++ )
  {
    pBuf = osal_cpyExtAddr( pBuf, pChildInfo[childIndex].extAddr );
    childIndex++;

    len += Z_EXTADDR_LEN;

    if ( childIndex == numberOfChildren )
    {
      pBuf = numOfChild;
      *pBuf = i + 1;
      // All childs are taken, restart index and go out
      childIndex = 0;
      return fillAndSend( TransSeq, dstAddr, clusterID, len );
    }
  }

  pBuf = numOfChild;
  *pBuf = maxParentAnnceChild;
  if ( childIndex < numberOfChildren )
  {
    if ( clusterID == Parent_annce )
    {
      ZDApp_SetParentAnnceTimer();
    }
    if ( clusterID == Parent_annce_rsp )
    {
      OsalPortTimers_startTimer( ZDAppTaskID, ZDO_PARENT_ANNCE_EVT, 10 );
    }
  }

  return fillAndSend( TransSeq, dstAddr, clusterID, len );
}

    ——————

    The MTU of AF-Broadcast frame is 82-Byte, so ZDP_BUF_SZ  can be set only in 82-byte.

    The Parent_annce frame carries 1-Byte ZDP_Sequence, 1-Byte "numChildren". And 80-byte left space can carries 10 IEEE-address.

    The Parent_annce_rsp frame carries 1-Byte ZDP_Sequence, 1-Byte "status byte", 1-Byte "numChildren". And 79-byte left space can only carries 9 IEEE-address.

  • 0 in reply to Aries Lord
    Guru 735695 points

    I agree with you. I just want TI to check and confirm it.

  • 0 in reply to YiKai Chen
    TI__Mastermind 35070 points

    Hi,

    Thank you for bringing this up, I think this is an issue as well.

    I've passed it on to the development team.

    It looks like for 10 children, you will need ZDP_BUF_SZ == 83:
    - 1 byte for TransSeq (see function fillAndSend called by ZDP_ParentAnnce)
    - 1 byte for NumberOfChildren
    - 1 byte for Status (if it is Parent Annce Rsp)
    - 80 bytes for children list: MAX_PARENT_ANNCE_CHILD * Z_EXTADDR_LEN

    Regards,
    Toby

  • 0 in reply to Toby
    Guru 735695 points

      Thanks for confirm this.

  • 0 in reply to Toby
    Genius 5390 points

    The Maximum size of broadcast frame is 82 byte. So the best way is to cut down the number of children in one frame of parent-announce-response command.

  • 0 in reply to Aries Lord
    TI__Mastermind 35070 points

    Good point Aries!

    The only broadcast in this case is Parent Annce, which uses:
    - 1 byte for TransSeq
    - 1 byte for NumberOfChildren
    - 80 bytes left for children --> up to 10 children

    However, that Parent Annce Rsp is a unicast, so a payload larger than 82 bytes is possible (but not "pretty", since it will be fragmented).

    A good compromise (to avoid fragmentation) may be as you mentioned, to set the buffer size to 82 and reduce the number of children in both Parent Annce and Parent Annce Rsp to 9.
    I'll pass this along as well.

  • 0 in reply to Toby
    Guru 735695 points

    Thanks Aries and Toby.