From: Alexander Aring <alex.aring@gmail.com>
To: Marcel Holtmann <marcel@holtmann.org>
Cc: linux-bluetooth <linux-bluetooth@vger.kernel.org>,
kernel@pengutronix.de,
Jukka Rissanen <jukka.rissanen@linux.intel.com>
Subject: Re: [RFC bluetooth-next 1/2] bluetooth: 6lowpan: avoid endless loop
Date: Sun, 25 Oct 2015 21:27:21 +0100 [thread overview]
Message-ID: <20151025202716.GA6435@omega> (raw)
In-Reply-To: <D10520FE-A8A8-49D9-B6BA-E6682CBCFB42@holtmann.org>
Hi Marcel,
On Mon, Oct 26, 2015 at 05:11:37AM +0900, Marcel Holtmann wrote:
> Hi Alex,
>
> > When -EAGAIN as return value for receive handling will do a retry of
> > parsing I can trigger a endless loop when iphc decompression e.g.
> > returns an errno because some missing function "-ENOTSUPP" or something
> > else. Somebody from outside can trigger an endless loop when sending a
> > an IPHC header which triggers this behaviour.
> >
> > NOTE: This really depends only if -EAGAIN means "try again to call the
> > receive handler with the skb". Sometimes we also drop (and kfree) the
> > skb, I think something is broken there... depends on the error branch.
> > When receiving failed simple free skb and return errno (which is not
> > -EAGAIN).
>
> I am lost on this comment, you need to explain this more and might actually want to put a comment in the code on this.
>
I am sorry, what I meant there is "How exactly does the '.recv' of
'l2cap_ops'" handle an -EAGAIN errno. If this means the callback will be
called again with the same parameters (What I am thinking of, when I
return -EAGAIN) then we have an endless loop which can be triggered from
the outside by sending an invalid/not supported IPHC 6LoWPAN header.
Because the function "chan_recv_cb" (which is ".recv") will call
recv_pkt (which return -EAGAIN on failure) and this function will call
ret = iphc_decompress(local_skb, dev, chan), which parse the IPHC Header
(can occur errno on invalid frames), then the complete calling chain
will return -EAGAIN at ".recv" callback of l2cap_ops". The IPHC header
comming from the "outside", everybody can manipulate this data.
Is it more clear now what I try to explained here?
First look on ".recv" callback handling in "net/bluetooth/l2cap_core.c"
a return of -EAGAIN, will not try to call the ".recv" callback with the
same parameters again.
Anyway, we should not use -EAGAIN here, or? Simple return the errno from
function which returns it.
- Alex
next prev parent reply other threads:[~2015-10-25 20:27 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-24 14:50 [RFC bluetooth-next 0/2] bluetooth: 6lowpan: suggestions for Jukka Alexander Aring
2015-10-24 14:50 ` [RFC bluetooth-next 1/2] bluetooth: 6lowpan: avoid endless loop Alexander Aring
2015-10-25 20:11 ` Marcel Holtmann
2015-10-25 20:27 ` Alexander Aring [this message]
2015-10-27 9:21 ` Jukka Rissanen
2015-10-24 14:50 ` [RFC bluetooth-next 2/2] bluetooth: 6lowpan: rework receive handling Alexander Aring
2015-10-28 8:57 ` Jukka Rissanen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151025202716.GA6435@omega \
--to=alex.aring@gmail.com \
--cc=jukka.rissanen@linux.intel.com \
--cc=kernel@pengutronix.de \
--cc=linux-bluetooth@vger.kernel.org \
--cc=marcel@holtmann.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.