When mtu is very small (e.g. 6 or 7), the final mbuf can be larger than the second last mbuf, since the RCS is sent seperately.
The curr_bit_offset variable will never be larger than the temp_offset variable when fetching a byte using mbuf_get_byte() which results in an endless loop.
See mbuf_compute_mic() and mbuf_copy()
Reproduce error w/ fragment example with mtu set to 6 or 7 with NO_ACK reliability mode.
When mtu is very small (e.g. 6 or 7), the final mbuf can be larger than the second last mbuf, since the RCS is sent seperately.
The
curr_bit_offsetvariable will never be larger than thetemp_offsetvariable when fetching a byte usingmbuf_get_byte()which results in an endless loop.See
mbuf_compute_mic()andmbuf_copy()Reproduce error w/ fragment example with mtu set to 6 or 7 with
NO_ACKreliability mode.