Merge pull request #621 from thingsconnected/pullreq6

mluis1 · web-flow · commit 4eece1ebc43d · 2018-12-18T09:19:45.000+01:00
LoRaMacSerializerData buffer overflow fix
diff --git a/src/mac/LoRaMacSerializer.c b/src/mac/LoRaMacSerializer.c
@@ -134,19 +134,19 @@ LoRaMacSerializerStatus_t LoRaMacSerializerData( LoRaMacMessageData_t* macMsg )
                                + LORAMAC_FHDR_F_CTRL_FIELD_SIZE
                                + LORAMAC_FHDR_F_CNT_FIELD_SIZE;
 
-    if( macMsg->FRMPayloadSize == 0 )
+    computedBufSize += macMsg->FHDR.FCtrl.Bits.FOptsLen;
+
+    if( macMsg->FRMPayloadSize > 0 )
     {
-        if( macMsg->BufSize < computedBufSize )
-        {
-            return LORAMAC_SERIALIZER_ERROR_BUF_SIZE;
-        }
+        computedBufSize += LORAMAC_F_PORT_FIELD_SIZE;
     }
-    else
-    {   //If FRMPayload >0, FPort field is present.
-        if( macMsg->BufSize < computedBufSize + macMsg->FHDR.FCtrl.Bits.FOptsLen + macMsg->FRMPayloadSize + LORAMAC_F_PORT_FIELD_SIZE )
-        {
-            return LORAMAC_SERIALIZER_ERROR_BUF_SIZE;
-        }
+
+    computedBufSize += macMsg->FRMPayloadSize;
+    computedBufSize += LORAMAC_MIC_FIELD_SIZE;
+
+    if( macMsg->BufSize < computedBufSize )
+    {
+        return LORAMAC_SERIALIZER_ERROR_BUF_SIZE;
     }
 
     macMsg->Buffer[bufItr++] = macMsg->MHDR.Value;
