drivers: net: ppp: fix removing CRC16 from packet

CRC16 was removed by simply decreasing length of the last fragment by 2.
This worked as long as last fragment was longer than 1 byte. If not,
then last fragment was corrupted (its length ended up being 65535),
leading to undefined behavior.

Fix CRC16 removal by utilizing recently introduced
net_pkt_remove_tail(), that properly handles multiple fragments.

Reported-by: Jim Paris <jim@jim.sh>
Signed-off-by: Marcin Niestroj <m.niestroj@emb.dev>
This commit is contained in:
Marcin Niestroj 2021-07-15 08:55:21 +02:00 committed by Christopher Friedt
commit d08c6ee113

View file

@ -416,8 +416,8 @@ static void ppp_process_msg(struct ppp_driver_context *ppp)
#endif
net_pkt_unref(ppp->pkt);
} else {
/* Skip FCS bytes (2) */
net_buf_frag_last(ppp->pkt->buffer)->len -= 2;
/* Remove FCS bytes (2) */
net_pkt_remove_tail(ppp->pkt, 2);
/* Make sure we now start reading from PPP header in
* PPP L2 recv()