diff --git a/src/mac/LoRaMac.c b/src/mac/LoRaMac.c index 47264c069..d0c477fb9 100644 --- a/src/mac/LoRaMac.c +++ b/src/mac/LoRaMac.c @@ -997,6 +997,13 @@ static void ProcessRadioRxDone( void ) switch( macHdr.Bits.MType ) { case FRAME_TYPE_JOIN_ACCEPT: + // Check if the received frame size is valid + if( size < LORAMAC_JOIN_ACCEPT_FRAME_MIN_SIZE ) + { + MacCtx.McpsIndication.Status = LORAMAC_EVENT_INFO_STATUS_ERROR; + PrepareRxDoneAbort( ); + return; + } macMsgJoinAccept.Buffer = payload; macMsgJoinAccept.BufSize = size; @@ -1068,7 +1075,8 @@ static void ProcessRadioRxDone( void ) getPhy.Datarate = MacCtx.McpsIndication.RxDatarate; getPhy.Attribute = PHY_MAX_PAYLOAD; phyParam = RegionGetPhyParam( MacCtx.NvmCtx->Region, &getPhy ); - if( MAX( 0, ( int16_t )( ( int16_t ) size - ( int16_t ) LORA_MAC_FRMPAYLOAD_OVERHEAD ) ) > ( int16_t )phyParam.Value ) + if( ( MAX( 0, ( int16_t )( ( int16_t ) size - ( int16_t ) LORAMAC_FRAME_PAYLOAD_OVERHEAD_SIZE ) ) > ( int16_t )phyParam.Value ) || + ( size < LORAMAC_FRAME_PAYLOAD_MIN_SIZE ) ) { MacCtx.McpsIndication.Status = LORAMAC_EVENT_INFO_STATUS_ERROR; PrepareRxDoneAbort( ); diff --git a/src/peripherals/atecc608a-tnglora-se/atecc608a-tnglora-se.c b/src/peripherals/atecc608a-tnglora-se/atecc608a-tnglora-se.c index c487d7e59..14e568050 100644 --- a/src/peripherals/atecc608a-tnglora-se/atecc608a-tnglora-se.c +++ b/src/peripherals/atecc608a-tnglora-se/atecc608a-tnglora-se.c @@ -499,6 +499,12 @@ SecureElementStatus_t SecureElementProcessJoinAccept( JoinReqIdentifier_t joinRe return SECURE_ELEMENT_ERROR_NPE; } + // Check that frame size isn't bigger than a JoinAccept with CFList size + if( encJoinAcceptSize > LORAMAC_JOIN_ACCEPT_FRAME_MAX_SIZE ) + { + return SECURE_ELEMENT_ERROR_BUF_SIZE; + } + // Determine decryption key KeyIdentifier_t encKeyID = NWK_KEY; diff --git a/src/peripherals/lr1110-se/lr1110-se.c b/src/peripherals/lr1110-se/lr1110-se.c index 106e92d06..56e027df6 100644 --- a/src/peripherals/lr1110-se/lr1110-se.c +++ b/src/peripherals/lr1110-se/lr1110-se.c @@ -290,6 +290,12 @@ SecureElementStatus_t SecureElementProcessJoinAccept( JoinReqIdentifier_t joinRe return SECURE_ELEMENT_ERROR_NPE; } + // Check that frame size isn't bigger than a JoinAccept with CFList size + if( encJoinAcceptSize > LORAMAC_JOIN_ACCEPT_FRAME_MAX_SIZE ) + { + return SECURE_ELEMENT_ERROR_BUF_SIZE; + } + // Determine decryption key KeyIdentifier_t encKeyID = NWK_KEY; diff --git a/src/peripherals/soft-se/soft-se.c b/src/peripherals/soft-se/soft-se.c index 80ad18e20..14946fd7d 100644 --- a/src/peripherals/soft-se/soft-se.c +++ b/src/peripherals/soft-se/soft-se.c @@ -395,6 +395,12 @@ SecureElementStatus_t SecureElementProcessJoinAccept( JoinReqIdentifier_t joinRe return SECURE_ELEMENT_ERROR_NPE; } + // Check that frame size isn't bigger than a JoinAccept with CFList size + if( encJoinAcceptSize > LORAMAC_JOIN_ACCEPT_FRAME_MAX_SIZE ) + { + return SECURE_ELEMENT_ERROR_BUF_SIZE; + } + // Determine decryption key KeyIdentifier_t encKeyID = NWK_KEY;