Bug: CC2538 uses length byte before checking CRC

[HavingaThijs]

Description

The CC2538 is reading the length byte from a received packet to determine the location of the CRC result:

RIOT/cpu/cc2538/radio/cc2538_rf_radio_ops.c

Line 416 in 06aaf64

uint8_t pkt_len = rfcore_peek_rx_fifo(0);

However, the length byte itself might be corrupted as well.

Steps to reproduce the issue

Ping between two CC2528 devices under heavy interference (e.g., using Wi-Fi in an overlapping channel).

Expected results

Th receiver should read the correct CRC result from the RX FIFO, and not read outside of it.

Actual results

In some cases, the reported length will be greater than the FIFO size and it will then try to read the CRC bit from there:

RFCORE_ASSERT(idx >= 0 && idx < CC2538_RF_FIFO_SIZE) failed at line 79 in rfcore_peek_rx_fifo()!
RFCORE_SFR_RFERRF = 0x00

I found another reference to this error here: #13997 (comment)

In fact, it looks like the number of bytes in the RX FIFO as reported by the radio is just a mask of the length byte with 0x7F, e.g., with a reported packet length of 236, there are actually only 108 bytes in the receiving buffer.