packdev_t: Increment pointer address, not pointer value

If pDev is not NULL, everything in the buffer from linkInfo.InFrmCntr onwards was also garbage: The *pBuf+=4 is definitely a bug, it increments the value, not the pointer address. So linkInfo.InFrmCntr is written to the buffer, then linkInfo.InFrmCntr in the buffer is incremented by 4, and then the first two bytes (because the pointer was not incremented) are overwritten with linkInfo.TxFailure. I replaced it with the correct pBuf +=4. See Koenkk/zigbee2mqtt#13478 (comment) @slugzero Signed-off-by: Olliver Schinagl <oliver@schinagl.nl>
oliv3r · Aug 28, 2024 · c743b7c · c743b7c
1 parent d075e37
commit c743b7c
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/source/ti/zstack/mt/mt_util.c b/source/ti/zstack/mt/mt_util.c
@@ -1546,7 +1546,7 @@ static void packDev_t(uint8_t *pBuf, associated_devices_t *pDev)
     *pBuf++ = pDev->linkInfo.rxLqi;
     *pBuf++ = pDev->linkInfo.inKeySeqNum;
     OsalPort_bufferUint32( pBuf, pDev->linkInfo.inFrmCntr );
-    *pBuf += 4;
+    pBuf += 4;
     *pBuf++ = LO_UINT16(pDev->linkInfo.txFailure);
     *pBuf++ = HI_UINT16(pDev->linkInfo.txFailure);
   }