Hi all, I am developing a lin application using S32k118 micro-controller, s23DS 3.4 and SDK RTM 4.0.3.
I think I found a bug in linstack library, I don't know if this is the most suitable place for signaling it.
I am experiencing a vector catch issue when I try to send a multiframe master request (e.g. UDS service $2E, total payload 11 bytes) and then I try to perform a send even a single frame command (e.g. UDS service $22, total payloads 3 bytes).
From debugging it seems that in the function tl_receive_message() (in lin_commontl_proto.c file), the assignation of the length within the switch(PCI_type), for how it is implemented, causes it the length variable tmp_length to wrap around in case of first a longer message (e.g. multiframe) and then a shorter one. In the end, this leads to an attempt to write the buffer at an index greater then buffer dimension, thus vector catch.
I implemented a fix that seems to resolve the issue, (snapshot below), can anyone tell me if this is a known issue? Is solved in a different SDK version for DS 3.4 (so RTM > 4.0.3)? Furhtermore, may the posted fix have potential problematic drawbacks?
Thank you in advance and BR
static void tl_receive_message(l_ifc_handle iii)
{
...
/* Single frame */
case PCI_SF:
tmp_length = (l_u16)((l_u16)pdu[1] & 0x000FU);
/* Swapped assignation of variables */
// i = *length;
// *length = tmp_length;
*length = tmp_length;
i = *length;
/* Commented if branch */
// if (i < tmp_length)
// {
// tmp_length = i;
// }
....
/* Multi frame */
case PCI_FF:
/* First frame */
tmp_length = (l_u16)((((l_u16)pdu[1] & 0x000FU) << + (l_u16)pdu[2]);
/* Swapped assignation of variables */
// i = *length;
// *length = tmp_length;
*length = tmp_length;
i = *length;
/* Commented if branch */
// if (i < tmp_length)
// {
// tmp_length = i;
// }
