Re: BUG? candump -x and non CANFD frames

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Oliver Hartkopp <socketcan@hartkopp.net>
To: Marc Kleine-Budde <mkl@pengutronix.de>, linux-can@vger.kernel.org
Subject: Re: BUG? candump -x and non CANFD frames
Date: Fri, 24 Jan 2014 17:20:03 +0100	[thread overview]
Message-ID: <52E292B3.8010009@hartkopp.net> (raw)
In-Reply-To: <52E2754C.9020204@pengutronix.de>

On 24.01.2014 15:14, Marc Kleine-Budde wrote:
> Hello,
> 
> I'm running "candump -x any,0:0,#FFFFFFFF" on standard CAN hardware and
> I see this output:
> 
>   can0  RX - -  222   [7]  00 00 00 00 00 00 00
>   can0  TX - E  111   [1]  00
> 
> The "E" should not be there, as it only makes sense for CANFD frames, as
> it's derived from the "flags" member of the canfd_frame.
> 
>>  68 struct can_frame {
>>  69         canid_t can_id;  /* 32 bit CAN_ID + EFF/RTR/ERR flags */
>>  70         __u8    can_dlc; /* frame payload length in byte (0 .. CAN_MAX_DLEN) */
>>  71         __u8    data[CAN_MAX_DLEN] __attribute__((aligned(8)));
>>  72 };
> 
>> 102 struct canfd_frame {
>> 103         canid_t can_id;  /* 32 bit CAN_ID + EFF/RTR/ERR flags */
>> 104         __u8    len;     /* frame payload length in byte */
>> 105         __u8    flags;   /* additional flags for CAN FD */
>> 106         __u8    __res0;  /* reserved / padding */
>> 107         __u8    __res1;  /* reserved / padding */
>> 108         __u8    data[CANFD_MAX_DLEN] __attribute__((aligned(8)));
>> 109 };
> 
> As the software is big and proprietary, I cannot look at the code, if
> the unused 3 bytes in the can_frame are filled with zeros or not. At
> first sight all TX'ed frames have the E flag set.
> 
> What's the correct fix?
> 
> Do we have to fix something in the kernel, is there a possible
> information leak of 3 bytes of kernel memory for TX'ed frames?

I don't assume this. TX frames are usually created by applications (and by
bcm.c and isotp.c which do it correctly).

> Or only a
> cross application information leakage?

Yep.

Someone is sending an uninitialized struct can_frame into the kernel which
comes back this way.

> 
> Another possible solution is to only print the flags member if we
> actually have received CANFD frames.

Yes we could do this based on the maxdlen variable.
But this is just a cosmetic fix which IMO hides possible problems.
Therefore I would tend to leave it as-is which in fact helped to find this
uninitialized application issue.

Regards,
Oliver

     prev parent reply	other threads:[~2014-01-24 16:20 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-01-24 14:14 BUG? candump -x and non CANFD frames Marc Kleine-Budde
2014-01-24 16:20 ` Oliver Hartkopp [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=52E292B3.8010009@hartkopp.net \
    --to=socketcan@hartkopp.net \
    --cc=linux-can@vger.kernel.org \
    --cc=mkl@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.