[Bluez-devel] Bug: infinite loop in extract_seq() when sdp_extract_seqtype() fails

[Bluez-devel] Bug: infinite loop in extract_seq() when sdp_extract_seqtype() fails

[Jason Watts]

Hi,

I'm new to this list.  Please let me know if there is a more  
appropriate place to report this.

It appears that extract_seq() in sdp.c (bluez-libs) can enter an  
infinite loop if sdp_extract_seqtype() fails when extract_seq() has  
called itself recursively.  Here's how:

  1  static sdp_data_t *extract_seq(const void *p, int *len,  
sdp_record_t *rec)
  2  {
  3    int seqlen, n = 0;
  4    sdp_data_t *curr, *prev;
  5    sdp_data_t *d = (sdp_data_t *)malloc(sizeof(sdp_data_t));
  6
  7    SDPDBG("Extracting SEQ");
  8    memset(d, 0, sizeof(sdp_data_t));
  9    *len = sdp_extract_seqtype(p, &d->dtd, &seqlen);
10    SDPDBG("Sequence Type : 0x%x length : 0x%x\n", d->dtd, seqlen);
11
12    if (*len == 0)
13      return d;
14
15    p += *len;
16    curr = prev = NULL;
17    while (n < seqlen) {
18      int attrlen = 0;
19      curr = sdp_extract_attr(p, &attrlen, rec);
20      if (curr == NULL)
21        break;
22
23      if (prev)
24        prev->next = curr;
25      else
26        d->val.dataseq = curr;
27      prev = curr;
28      p += attrlen;
29      n += attrlen;
30
31      SDPDBG("Extracted: %d SequenceLength: %d", n, seqlen);
32    }
33
34    *len += n;
35    return d;
36  }


On line 9, sdp_extract_seqtype() will return zero if it does not  
recognize the sequence type.  When this happens, extract_seq() will  
set the output argument len to zero and return a pointer on line 13.   
Note that it will NOT return NULL.  It returns the chunk allocated on  
line 5.

Now, the while loop calls sdp_extract_attr() on line 19.  This call  
sets attrlen.  The loop will not advance if attrlen remains zero.   
sdp_extract_attr() function can in turn call extract_seq() again  
recursively.  When that happens here, the call to sdp_extract_attr()  
is equivalent to calling extract_seq() directly.

The loop would break on line 21 if sdp_extract_attr() returned NULL.   
But sdp_extract_attr() never returns NULL if it calls extract_seq(),  
because extract_seq() never returns NULL.

Thus, if sdp_extract_attr() calls extract_seq(), and then the  
sdp_extract_seqtype() call fails, then the loop will not break,  
because sdp_extract_attr() will return non-NULL, and the loop will  
not advance because attrlen will be zero.


Jason Watts
Embedded Software Engineer
Qwikker, Inc.



_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

Re: [Bluez-devel] Bug: infinite loop in extract_seq() when sdp_extract_seqtype() fails

[Marcel Holtmann]

Hi Jason,

> I'm new to this list.  Please let me know if there is a more  
> appropriate place to report this.

this mailing list is the correct place to report such problems.

> It appears that extract_seq() in sdp.c (bluez-libs) can enter an  
> infinite loop if sdp_extract_seqtype() fails when extract_seq() has  
> called itself recursively.  Here's how:

Do you have a patch for it or can you send a small reproducer program?

Regards

Marcel




_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

Re: [Bluez-devel] Bug: infinite loop in extract_seq() when sdp_extract_seqtype() fails

[Jason Watts]

>> It appears that extract_seq() in sdp.c (bluez-libs) can enter an
>> infinite loop if sdp_extract_seqtype() fails when extract_seq() has
>> called itself recursively.  Here's how:
>
> Do you have a patch for it or can you send a small reproducer program?

This may be a false alarm.  When I looked closer, I could not explain  =

how the program could reach the state I described.  The problem is  =

that sdp_extract_attr() only calls extract_seq() for aggregate  =

types.  In fact, exactly those types that sdp_extract_seqtype()  =

expects.  With that invariant, I don't see how the program could fall  =

into the loop I described, not without resorting to exotic explanations.

All I know at this point is that /var/log/messages gets an endless  =

flood of

   sdp_extract_seqtype: Unknown sequence type, aborting

We don't know yet what triggers this.  Of course I will follow up if  =

it still turns out to be a problem in bluez.

=BF.) Jason Watts
Embedded Software Engineer
Qwikker, Inc.



_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

Re: [Bluez-devel] Bug: infinite loop in extract_seq() when sdp_extract_seqtype() fails

[Marcel Holtmann]

Hi Jason,

> >> It appears that extract_seq() in sdp.c (bluez-libs) can enter an
> >> infinite loop if sdp_extract_seqtype() fails when extract_seq() has
> >> called itself recursively.  Here's how:
> >
> > Do you have a patch for it or can you send a small reproducer program?
> 
> This may be a false alarm.  When I looked closer, I could not explain  
> how the program could reach the state I described.  The problem is  
> that sdp_extract_attr() only calls extract_seq() for aggregate  
> types.  In fact, exactly those types that sdp_extract_seqtype()  
> expects.  With that invariant, I don't see how the program could fall  
> into the loop I described, not without resorting to exotic explanations.
> 
> All I know at this point is that /var/log/messages gets an endless  
> flood of
> 
>    sdp_extract_seqtype: Unknown sequence type, aborting
> 
> We don't know yet what triggers this.  Of course I will follow up if  
> it still turns out to be a problem in bluez.

it is kinda likely that SDP still have endless loops in it. However
please make sure you use the latest bluez-libs from CVS and really run
the latest sdpd and/or sdptool.

Regards

Marcel




_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

Re: [Bluez-devel] Bug: infinite loop in extract_seq() when sdp_extract_seqtype() fails

[Pedro Monjo Florit]

Hi Jason and Marcel,

>>>> It appears that extract_seq() in sdp.c (bluez-libs) can enter an
>>>> infinite loop if sdp_extract_seqtype() fails when extract_seq() has
>>>> called itself recursively.  Here's how:
>>> Do you have a patch for it or can you send a small reproducer program?
>> This may be a false alarm.  When I looked closer, I could not explain  
>> how the program could reach the state I described.  The problem is  
>> that sdp_extract_attr() only calls extract_seq() for aggregate  
>> types.  In fact, exactly those types that sdp_extract_seqtype()  
>> expects.  With that invariant, I don't see how the program could fall  
>> into the loop I described, not without resorting to exotic explanations.
>>
>> All I know at this point is that /var/log/messages gets an endless  
>> flood of
>>
>>    sdp_extract_seqtype: Unknown sequence type, aborting
>>
>> We don't know yet what triggers this.  Of course I will follow up if  
>> it still turns out to be a problem in bluez.
> 
> it is kinda likely that SDP still have endless loops in it. However
> please make sure you use the latest bluez-libs from CVS and really run
> the latest sdpd and/or sdptool.


In a message I sent to the mailing-list back in February (Valentine's
day), I explained what, IMHO, is the same problem. I have seen this
infinite loop being triggered by a Samsung mobile phone, but still do
not know which. I did not state it then, but syslog got flooded with the
same message that Jason reports.

I have tried to reproduce the problem with two Samsung's, with no luck.
All I could suggest is that, anybody monitoring the list with a Samsung
at hand, could fiddle with sdptool and see if the problem arises.

Cheers,

Pedro


_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

Re: [Bluez-devel] Bug: infinite loop in extract_seq() when sdp_extract_seqtype() fails

[Jason Watts]

On Jun 20, 2006, at 12:37 AM, Pedro Monjo Florit wrote:

>>> All I know at this point is that /var/log/messages gets an endless
>>> flood of
>>>
>>>    sdp_extract_seqtype: Unknown sequence type, aborting
>>>
>>> We don't know yet what triggers this.  Of course I will follow up if
>>> it still turns out to be a problem in bluez.
>>
>> it is kinda likely that SDP still have endless loops in it. However
>> please make sure you use the latest bluez-libs from CVS and really  =

>> run
>> the latest sdpd and/or sdptool.
>
>
> In a message I sent to the mailing-list back in February (Valentine's
> day), I explained what, IMHO, is the same problem. I have seen this
> infinite loop being triggered by a Samsung mobile phone, but still do
> not know which. I did not state it then, but syslog got flooded  =

> with the
> same message that Jason reports.

Thanks, Pedro.  This corroborates my findings and further isolates  =

the fault.

I don't know which phone, either.  This happened at a large venue, so  =

it could have been anyone in range.  However, I identified OUI and  =

CoD of the most likely culprits from our logs.  Samsung OUIs also  =

showed up in our data.

Here are the candidates, from most likely to least:

    OUI       CoD       Org. (from http://standards.ieee.org/regauth/ =

oui/oui.txt)
    00:15:B9  0x7A0204  Samsung Electronics
    00:12:47  0x7A0204  Samsung Electronics
    00:12:56  0x520204  LG Information & Comm.
    00:0E:6D  0x520204  Murata Manufacturing

I've added code to capture a call chain when this problem occurs.   =

We'll deploy this change and hopefully nail down the problem.


=BF.) Jason Watts
Embedded Software Engineer
Qwikker, Inc.



_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel

Re: [Bluez-devel] Bug: infinite loop in extract_seq() when sdp_extract_seqtype() fails

[Jason Watts]

On Jun 20, 2006, at 12:54 PM, Jason Watts wrote:

> On Jun 20, 2006, at 12:37 AM, Pedro Monjo Florit wrote:
>
>>>> All I know at this point is that /var/log/messages gets an endless
>>>> flood of
>>>>
>>>>    sdp_extract_seqtype: Unknown sequence type, aborting
>>>>
>>
>>
>> In a message I sent to the mailing-list back in February (Valentine's
>> day), I explained what, IMHO, is the same problem. I have seen this
>> infinite loop being triggered by a Samsung mobile phone, but still do
>> not know which.
>
>
> I've added code to capture a call chain when this problem occurs.
> We'll deploy this change and hopefully nail down the problem.


We've traced this to a known problem that occurs in bluez libs 2.10,  
but was fixed in 2.23 (in sdp.c 1.31).  I was looking at the wrong  
version of the source code before, so I couldn't find the faulty  
logic.  It had already been fixed by then!

Thanks for the fix. :-)

Jason Watts
Embedded Software Engineer
Qwikker, Inc.


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Bluez-devel mailing list
Bluez-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/bluez-devel