From: "Daryl Van Vorst" <daryl@wideray.com>
To: "'BlueZ Mailing List'" <bluez-devel@lists.sourceforge.net>
Subject: [Bluez-devel] Qualification testing.
Date: Tue, 30 Nov 2004 16:32:01 -0800 [thread overview]
Message-ID: <002501c4d73d$2cd35200$1a01010a@baked> (raw)
[-- Attachment #1: Type: text/plain, Size: 1419 bytes --]
Marcel,
Another round of qualification testing has begun. The results so far seem
much less painful this time. :)
So far there is one definite failure. There are a couple others which are
being debated. All of these have appeared because the tests have changed
slightly since (or weren't required) the last time we tested.
Test COS/CFD/BV-12 fails because the IUT does not send result=3 in an l2cap
config response upon reception of an unknown option. Apparently we didn't
have to do this test last time. And it's clear in the code why it fails:
l2cap.c: /* FIXME: Reject unknown option */
I noticed in the spec that the response must contain the offending options:
"On an unknown option failure (Result=0x0003), the option types not
understood
by the recipient of the Request must be included in the Response.
Note that hints (defined in Section 6 on page 297), those options in the
Request that are skipped if not understood, must not be included in the
Response and must not be the sole cause for rejecting the Request."
I've been staring at the code pondering how to fix this cleanly. I've
attached an attempt at fixing it. The fix is not quite complete because I
believe it has a buffer overflow vulnerability. It is not fully tested
either. But I figured it was best to run it by you before going too far
because more than likely you'll want to change something. ;)
BTW - We're using 2.4.21-mh10.
-Daryl.
[-- Attachment #2: l2cap_diff --]
[-- Type: application/octet-stream, Size: 3712 bytes --]
--- linux-2.4.21/net/bluetooth/l2cap.c 2004-10-19 11:14:43.000000000 -0700
+++ linux-2.4.21_mods/net/bluetooth/l2cap.c 2004-11-30 16:28:37.000000000 -0800
@@ -81,6 +81,8 @@
static int l2cap_send_req(struct l2cap_conn *conn, __u8 code, __u16 len, void *data);
static int l2cap_send_rsp(struct l2cap_conn *conn, __u8 ident, __u8 code, __u16 len, void *data);
+static void l2cap_add_conf_opt(void **ptr, __u8 type, __u8 len, unsigned long val);
+
/* ----- L2CAP timers ------ */
static void l2cap_sock_timeout(unsigned long arg)
{
@@ -1235,11 +1237,12 @@
return len;
}
-static inline void l2cap_parse_conf_req(struct sock *sk, void *data, int len)
+static inline int l2cap_parse_conf_req(struct sock *sk, void *data, int len, void **rsp_ptr)
{
int type, hint, olen;
unsigned long val;
void *ptr = data;
+ int result = 0;
BT_DBG("sk %p len %d", sk, len);
@@ -1265,10 +1268,13 @@
if (hint)
break;
- /* FIXME: Reject unknown option */
+ /* Reject unknown option */
+ l2cap_add_conf_opt(rsp_ptr, type, olen, val);
+ result = L2CAP_CONF_UNKNOWN_OPT;
break;
};
}
+ return result;
}
static void l2cap_add_conf_opt(void **ptr, __u8 type, __u8 len, unsigned long val)
@@ -1341,16 +1347,16 @@
return result;
}
-static int l2cap_build_conf_rsp(struct sock *sk, void *data, int *result)
+static int l2cap_build_conf_rsp(struct sock *sk, void *data, void **ptr, int *result, int conf_output)
{
- l2cap_conf_rsp *rsp = (l2cap_conf_rsp *) data;
- void *ptr = rsp->data;
+ l2cap_conf_rsp *rsp = (l2cap_conf_rsp *) data;
+ // void *ptr = rsp->data;
u16 flags = 0;
BT_DBG("sk %p complete %d", sk, result ? 1 : 0);
- if (result)
- *result = l2cap_conf_output(sk, &ptr);
+ if (result && conf_output)
+ *result = l2cap_conf_output(sk, ptr);
else
flags |= 0x0001;
@@ -1358,7 +1364,7 @@
rsp->result = __cpu_to_le16(result ? *result : 0);
rsp->flags = __cpu_to_le16(flags);
- return ptr - data;
+ return *ptr - data;
}
static inline int l2cap_connect_req(struct l2cap_conn *conn, l2cap_cmd_hdr *cmd, __u8 *data)
@@ -1493,6 +1499,7 @@
__u8 rsp[64];
struct sock *sk;
int result;
+ void *ptr = ((l2cap_conf_rsp *)rsp)->data;
dcid = __le16_to_cpu(req->dcid);
flags = __le16_to_cpu(req->flags);
@@ -1502,16 +1509,22 @@
if (!(sk = l2cap_get_chan_by_scid(&conn->chan_list, dcid)))
return -ENOENT;
- l2cap_parse_conf_req(sk, req->data, cmd->len - L2CAP_CONF_REQ_SIZE);
+ result = l2cap_parse_conf_req(sk, req->data, cmd->len - L2CAP_CONF_REQ_SIZE, &ptr);
+
+ if (result) {
+ /* Unknown option */
+ l2cap_send_rsp(conn, cmd->ident, L2CAP_CONF_RSP, l2cap_build_conf_rsp(sk, rsp, &ptr, &result, 0), rsp);
+ goto unlock;
+ }
if (flags & 0x0001) {
/* Incomplete config. Send empty response. */
- l2cap_send_rsp(conn, cmd->ident, L2CAP_CONF_RSP, l2cap_build_conf_rsp(sk, rsp, NULL), rsp);
+ l2cap_send_rsp(conn, cmd->ident, L2CAP_CONF_RSP, l2cap_build_conf_rsp(sk, rsp, &ptr, NULL, 0), rsp);
goto unlock;
}
/* Complete config. */
- l2cap_send_rsp(conn, cmd->ident, L2CAP_CONF_RSP, l2cap_build_conf_rsp(sk, rsp, &result), rsp);
+ l2cap_send_rsp(conn, cmd->ident, L2CAP_CONF_RSP, l2cap_build_conf_rsp(sk, rsp, &ptr, &result, 1), rsp);
if (result)
goto unlock;
--- linux-2.4.21/include/net/bluetooth/l2cap.h 2004-08-26 11:39:27.000000000 -0700
+++ linux-2.4.21_mods/include/net/bluetooth/l2cap.h 2004-11-30 15:43:17.000000000 -0800
@@ -151,6 +151,7 @@
#define L2CAP_CONF_SUCCESS 0x00
#define L2CAP_CONF_UNACCEPT 0x01
+#define L2CAP_CONF_UNKNOWN_OPT 0x03
typedef struct {
__u8 type;
next reply other threads:[~2004-12-01 0:32 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-01 0:32 Daryl Van Vorst [this message]
2004-12-01 6:42 ` [Bluez-devel] Qualification testing Marcel Holtmann
2004-12-01 19:09 ` Daryl Van Vorst
2004-12-01 19:32 ` Marcel Holtmann
2004-12-01 23:02 ` Daryl Van Vorst
2004-12-02 7:35 ` Marcel Holtmann
2004-12-02 17:56 ` Daryl Van Vorst
-- strict thread matches above, loose matches on Subject: below --
2003-05-06 17:34 [Bluez-devel] Qualification Testing Daryl Van Vorst
2003-05-07 10:56 ` Stephen Crane
2003-05-07 16:44 ` Daryl Van Vorst
2003-05-08 2:18 ` Daryl Van Vorst
2003-05-12 16:37 ` Stephen Crane
2003-05-12 19:38 ` Daryl Van Vorst
2003-05-08 13:43 ` Marcel Holtmann
2003-05-08 18:11 ` Daryl Van Vorst
2003-05-08 19:53 ` Marcel Holtmann
2003-05-08 21:04 ` Daryl Van Vorst
2003-05-08 21:55 ` Daryl Van Vorst
2003-05-09 0:10 ` Marcel Holtmann
2003-05-08 22:06 ` Daryl Van Vorst
2003-05-08 18:33 ` Daryl Van Vorst
2003-05-09 0:51 ` Max Krasnyansky
2003-05-09 1:14 ` Marcel Holtmann
2003-05-09 18:11 ` Daryl Van Vorst
2003-05-09 18:36 ` Marcel Holtmann
2003-05-09 21:15 ` Max Krasnyansky
2003-05-09 21:52 ` Daryl Van Vorst
2003-05-09 22:51 ` Max Krasnyansky
2003-05-09 23:16 ` Daryl Van Vorst
2003-05-09 23:40 ` Daryl Van Vorst
2003-05-10 0:26 ` Marcel Holtmann
2003-05-10 2:33 ` Daryl Van Vorst
2003-05-10 6:17 ` Max Krasnyansky
2003-05-10 11:25 ` Marcel Holtmann
2003-05-11 3:57 ` Daryl Van Vorst
2003-05-12 22:51 ` Daryl Van Vorst
2003-05-12 23:05 ` Marcel Holtmann
2003-05-13 17:37 ` Max Krasnyansky
2003-05-13 17:55 ` Daryl Van Vorst
2003-05-13 22:31 ` Marcel Holtmann
2003-05-13 23:02 ` Max Krasnyansky
2003-05-13 23:19 ` Marcel Holtmann
2003-05-14 0:05 ` Max Krasnyansky
2003-05-14 0:30 ` Marcel Holtmann
2003-05-14 16:02 ` Daryl Van Vorst
2003-05-14 16:34 ` Max Krasnyansky
2003-05-14 21:12 ` Daryl Van Vorst
2003-05-14 22:24 ` Daryl Van Vorst
2003-05-14 22:27 ` Marcel Holtmann
2003-05-14 22:35 ` Daryl Van Vorst
2003-05-16 0:43 ` Max Krasnyansky
2003-05-16 14:43 ` Daryl Van Vorst
2003-05-16 17:38 ` Max Krasnyansky
2003-05-16 17:54 ` Daryl Van Vorst
2003-05-16 7:17 ` Marcel Holtmann
2003-05-10 6:16 ` Max Krasnyansky
2003-05-10 16:30 ` Marcel Holtmann
2003-05-11 7:19 ` Max Krasnyansky
2003-05-11 7:44 ` Marcel Holtmann
2003-05-12 23:37 ` Daryl Van Vorst
2003-05-13 0:04 ` Marcel Holtmann
2003-05-13 0:43 ` Daryl Van Vorst
2003-05-13 17:49 ` Max Krasnyansky
2003-05-13 17:44 ` Max Krasnyansky
2003-05-13 18:36 ` Daryl Van Vorst
2003-05-15 21:25 ` Daryl Van Vorst
2003-05-16 17:35 ` Max Krasnyansky
2003-05-16 18:01 ` Daryl Van Vorst
2003-05-16 18:23 ` Marcel Holtmann
2003-05-19 21:17 ` Max Krasnyansky
2003-05-19 21:19 ` Max Krasnyansky
2003-05-20 16:40 ` Daryl Van Vorst
2003-05-29 22:51 ` Daryl Van Vorst
2003-06-12 18:08 ` Max Krasnyansky
2003-06-12 18:49 ` Daryl Van Vorst
2003-06-12 19:11 ` Max Krasnyansky
2003-06-12 20:54 ` Daryl Van Vorst
2003-06-12 21:28 ` Marcel Holtmann
2003-06-13 1:22 ` Max Krasnyansky
2003-05-13 13:30 ` Daryl Van Vorst
2003-05-13 14:02 ` Marcel Holtmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='002501c4d73d$2cd35200$1a01010a@baked' \
--to=daryl@wideray.com \
--cc=bluez-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox