From: Oliver Hartkopp <socketcan@hartkopp.net>
To: Luotao Fu <l.fu@pengutronix.de>
Cc: socketcan-users@lists.berlios.de,
Michael Olbrich <m.olbrich@pengutronix.de>,
linux-kernel@vger.kernel.org
Subject: Re: [Socketcan-users] [PATCH] CAN: make checking in can_rcv less restrictive
Date: Thu, 06 Aug 2009 22:58:22 +0200 [thread overview]
Message-ID: <4A7B43EE.8050601@hartkopp.net> (raw)
In-Reply-To: <20090806201740.GA7067@pengutronix.de>
Luotao Fu wrote:
> Hi Oliver,
>
>>> - BUG_ON(skb->len != sizeof(struct can_frame) || cf->can_dlc > 8);
>>> + WARN_ON(skb->len != sizeof(struct can_frame) || cf->can_dlc > 8);
>>>
>>> /* update statistics */
>>> can_stats.rx_frames++;
>> NAK.
>>
>> The CAN applications can rely on getting proper CAN frames with this check. It
>> was introduced some time ago together with several other sanity checks - even
>> on the TX path.
>>
>> The CAN core *only* consumes skbuffs originated from a CAN netdevice
>> (ARPHRD_CAN).
>
> I don't quite get it. The problem here is a broken can message sent to
> the device can bring down the kernel.
I assume you mean from the wire via the controller to the Kernel here, right?
>
>> When this BUG() triggers, someone provided a definitely broken *CAN* network
>> driver, and this needsfp to be fixed on that level.
>
> In our case a sender (a FPGA) generates correct can frames carrying
> wrong dlc length.
Which is therefore *NOT* a correct CAN frame.
> This way the can driver on our side runs into the bug
> though the driver itself is allright.
Whatever there is on the bus or whatever your CAN controller provides in it's
dlc value: You need to ensure that the dlc is 0..8 before you push it into the
skbuff and call netif_rx(). Everything else *is* broken and not CAN conform.
> The opposite needed to be fixed,
> not our side.
Sure but it's your turn to be robust against obviously wrongs stuff, that's
provided by your (obviously sloppy) CAN controller.
> Though we do suffer a system crash only because the
> sender sends trash into the can network. This is imo quite bad.
No. You suffer because you allow the trash to climb up into the system.
Anyway i really wonder that there is a CAN controller that provides you
information in its registers that describe a non conform CAN frame.
This discussion shows that using BUG() was the correct approach :-)
Fix your driver and do not allow to pass broken stuff into the system.
Cheers,
Oliver
next prev parent reply other threads:[~2009-08-06 20:58 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-08-06 15:24 [PATCH] CAN: make checking in can_rcv less restrictive Luotao Fu
2009-08-06 16:48 ` [Socketcan-users] " Oliver Hartkopp
2009-08-06 20:17 ` Luotao Fu
2009-08-06 20:58 ` Oliver Hartkopp [this message]
2009-08-06 21:02 ` Luotao Fu
2009-08-07 4:08 ` Oliver Hartkopp
2009-08-07 6:52 ` Rémi Denis-Courmont
2009-08-07 11:35 ` Oliver Hartkopp
2009-08-07 11:46 ` Luotao Fu
2009-08-07 11:54 ` Rémi Denis-Courmont
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A7B43EE.8050601@hartkopp.net \
--to=socketcan@hartkopp.net \
--cc=l.fu@pengutronix.de \
--cc=linux-kernel@vger.kernel.org \
--cc=m.olbrich@pengutronix.de \
--cc=socketcan-users@lists.berlios.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.