CC1310: RFQueue: possibility of buffer overflow?

Pieter Conradie

Prodigy 170 points

Part Number: CC1310

Tool/software:

Hi there!

Set up info:

CC1310F32 microcontroller
NoRTOS application
RF Single Mode
Proprietary RX and TX
SDK 4.20.02.07
CCS 12.8.1

I want to find out if there could be an RFQeue buffer overflow under rare / unusual circumstances? Here is the relevant code snippet that shows how the RFQueue is set up as well as the proprietary RX cmd (RF_cmdPropRx):

#include DeviceFamily_constructPath(driverlib/rf_prop_mailbox.h)
#include "RFQueue.h"

/* Packet RX Configuration */
#define DATA_ENTRY_HEADER_SIZE 8   /* Constant header size of a Generic Data Entry */
#define MAX_LENGTH             100 /* Max length byte the radio will accept */
#define NUM_DATA_ENTRIES       2   /* NOTE: Only two data entries supported at the moment */
#define NUM_APPENDED_BYTES     3   /* The Data Entries data field will contain:
                                    * 1 Header byte (RF_cmdPropRx.rxConf.bIncludeHdr = 0x1)
                                    * Max 100 payload bytes
                                    * 1 RSSI byte (RF_cmdPropRx.rxConf.bAppendRssi = 1)
                                    * 1 status byte (RF_cmdPropRx.rxConf.bAppendStatus = 0x1)
                                    */

#pragma DATA_ALIGN(rxDataEntryBuffer, 4)
uint8_t rxDataEntryBuffer[RF_QUEUE_DATA_ENTRY_BUFFER_SIZE(NUM_DATA_ENTRIES, MAX_LENGTH, NUM_APPENDED_BYTES)];

// CMD_PROP_RX
// Proprietary Mode Receive Command
rfc_CMD_PROP_RX_t RF_cmdPropRx =
{
    .commandNo = 0x3802,
    .status = 0x0000,
    .pNextOp = 0, // INSERT APPLICABLE POINTER: (uint8_t*)&xxx
    .startTime = 0x00000000,
    .startTrigger.triggerType = 0x0,
    .startTrigger.bEnaCmd = 0x0,
    .startTrigger.triggerNo = 0x0,
    .startTrigger.pastTrig = 0x0,
    .condition.rule = 0x1,
    .condition.nSkip = 0x0,
    .pktConf.bFsOff = 0x0,
    .pktConf.bRepeatOk = 0x0,
    .pktConf.bRepeatNok = 0x0,
    .pktConf.bUseCrc = 0x1,
    .pktConf.bVarLen = 0x1,
    .pktConf.bChkAddress = 0x0,
    .pktConf.endType = 0x0,
    .pktConf.filterOp = 0x0,
    .rxConf.bAutoFlushIgnored = 0x0,
    .rxConf.bAutoFlushCrcErr = 0x0,
    .rxConf.bIncludeHdr = 0x1,
    .rxConf.bIncludeCrc = 0x0,
    .rxConf.bAppendRssi = 0x1,
    .rxConf.bAppendTimestamp = 0x0,
    .rxConf.bAppendStatus = 0x1,
    .syncWord = 0x930B51DE,
    .maxPktLen = 0x64,
    .address0 = 0xAA,
    .address1 = 0xBB,
    .endTrigger.triggerType = 0x1,
    .endTrigger.bEnaCmd = 0x0,
    .endTrigger.triggerNo = 0x0,
    .endTrigger.pastTrig = 0x0,
    .endTime = 0x00000000,
    .pQueue = 0, // INSERT APPLICABLE POINTER: (dataQueue_t*)&xxx
    .pOutput = 0 // INSERT APPLICABLE POINTER: (uint8_t*)&xxx
};

static dataQueue_t dataQueue;

void *mainThread(void *arg0)
{
    RFQueue_defineQueue(&dataQueue,
                        rxDataEntryBuffer,
                        sizeof(rxDataEntryBuffer),
                        NUM_DATA_ENTRIES,
                        MAX_LENGTH + NUM_APPENDED_BYTES));
}

You will see that the length byte (header) is appended, as well as the RSSI and Status byte (#NUM_APPENDED_BYTES = 3). The maximum length that will be accepted is 100 bytes (#MAX_LENGTH = 100 and RF_cmdPropRx.maxPktLen = 0x64).

I have performed tests where I painted the data content of rxDataEntryBuffer with a magic value (0xCC) and received the maximum length packet but did not observe a buffer overflow. An RF packet larger than 100 bytes is rejected. Despite that, there are very rare circumstances where we suspect that a buffer overflow could be happening.

From the code snippet you will see that RF_cmdPropRx.bIncludeCrc = 0 and RF_cmdPropRx.bAppendTimestamp = 0. Could there be an RF packet error condition where this or other meta data is appended even though it is not supposed to?

#MAX_LENGTH = 100. Could there be a 4-byte alignment requirement where meta data is appended past the end of rxDataEntryBuffer?

Thanks in advance,

Pieter

5 months ago

0 Marie H 5 months ago

TI__Guru* 81601 points

Hi Pieter,

1. Which version of the SimpleLink SDK are you using?

2. When you say you suspect a buffer overflow, can you tell me what the symptoms are?

3. Yes indeed there is a 4-byte alingnment requirement, each queue entry needs to be aligned to the 4-byte boundary.

https://dev.ti.com/tirex/explore/content/simplelink_cc13xx_cc26xx_sdk_8_30_01_01/docs/proprietary-rf/proprietary-rf-users-guide/rf-core/data-queues.html

Cheers,

Marie H

0 Pieter Conradie 5 months ago in reply to Marie H

Prodigy 170 points

Hi Marie,

1. I am using Simplelink CC13x0 SDK 4.20.02.07. Correct me if I am wrong but this is the latest?

2. It is a shot in the dark. The problem has been very elusive to reproduce and so far I have been unable to debug a device in that bad state. There is an 8-bit state variable "net_dev_state" that is allocated just after the RFQueue data buffer "rf_modem_rx_data_entry_buffer" and the symptoms are consistent with it getting corrupted:

3. I have checked and 0x200004A0 as well as 0x20000510 is on a 4-byte boundary.

Regards,

Pieter

+1 Siri 5 months ago in reply to Pieter Conradie

TI__Guru* 86191 points

It should not be possible to get a buffer overflow with your settings. As far as I can see the only changes you have done to the default example is to add the RSSI status, and turn off repeat mode and filtering.

If it was an overflow, this would happen for all packets of max length that the radio is set up to (100 bytes). You have also verified that if you set the length byte to 101, the radio itself will filter away the packets with length byte higher than 100.

Siri

0 Pieter Conradie 5 months ago in reply to Siri

Prodigy 170 points

Hi Siri,

OK thanks for the check :) It is a shot in the dark and I am just checking every possibility.

Best regards,

Pieter

Sub-1 GHz

Sub-1 GHz forum

CC1310: RFQueue: possibility of buffer overflow?