From: Marcel Holtmann <marcel@holtmann.org>
To: Iain Hibbert <plunky@rya-online.net>
Cc: Daniel Abraham <daniel.shrugged@gmail.com>,
linux-bluetooth@vger.kernel.org
Subject: Re: Bug in parsing of SDP_ServiceSearchAttributeResponse?
Date: Sun, 14 Mar 2010 13:40:30 -0700 [thread overview]
Message-ID: <1268599230.3897.44.camel@localhost.localdomain> (raw)
In-Reply-To: <1268352254.586562.6662.nullmailer@galant.ukfsn.org>
Hi Daniel,
> > According to hcidump (attached), the SDP_ServiceSearchAttributeResponse
> > is malformed, but a different Bluetooth stack (IVT on Windows) is able
> > to report correctly the remote computer's available services.
>
> It could be that the different Bluetooth stacks fetch that information via
> a different request than ServiceSearchAttributes, or that it queries the
> services that it hopes to see individually rather than just the
> PublicBrowseGroup to get everything as in this case.
>
> > So I'm guessing this is a parsing error or interoperability weakness in
> > BlueZ...? (Or, less likely but possible, a bug in the other 2 stacks?)
>
> The PDU that the remote computer sends is truncated at the end of the
> first L2CAP frame (all the 0's that hcidump shows are just empty buffer as
> it does not check the actual frame length). But, each L2CAP frame is
> supposed to contain an entire PDU and when the data exceeds the MTU it
> sends a non zero Continuation State to enable the client to request more
> data.
>
> It might be that this computer was not expecting that the response would
> overflow the L2CAP frame and they didn't write the code to handle that,
> but in the meantime many services were added..
you can decode only HCI and L2CAP like this:
hcidump -r <file> -X -V hci l2cap
That will avoid involving the SDP parser and you see that it is one
L2CAP packet with 672 bytes in there (split over two ACL packets).
The remote stack is having a bug in L2CAP already anyway:
> ACL data: handle 11 flags 0x02 dlen 14
L2CAP(s): Config rsp: scid 0x0040 flags 0x00 result 0 clen 0
Success
It is mandatory for the config response to include the MTU size to
confirm the configured value.
The SDP protocol is pretty clear in how to handle splitting long PDUs
over multiple L2CAP frames. This remote stack doesn't do it at all.
BlueZ handles this properly.
I wouldn't be surprised that even if you see the packet in hcidump, the
kernel actually dropped it. And it never was handed out to the
application because it was not fragmented properly. Check dmesg if the
kernel dropped a packet.
Regards
Marcel
prev parent reply other threads:[~2010-03-14 20:40 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-11 21:57 Bug in parsing of SDP_ServiceSearchAttributeResponse? Daniel Abraham
2010-03-12 0:04 ` Iain Hibbert
2010-03-14 13:50 ` Daniel Abraham
2010-03-14 20:16 ` Iain Hibbert
2010-03-14 20:40 ` Marcel Holtmann [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1268599230.3897.44.camel@localhost.localdomain \
--to=marcel@holtmann.org \
--cc=daniel.shrugged@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=plunky@rya-online.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).