[PATCH 1/4] Bluetooth: Fix a redundant and problematic incoming MTU check

linux-bluetooth.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Mat Martineau <mathewm@codeaurora.org>
To: linux-bluetooth@vger.kernel.org, gustavo@padovan.org,
	marcel@holtmann.org
Cc: pkrystad@codeaurora.org, ulisses@profusion.mobi,
	andrei.emeltchenko.news@gmail.com
Subject: [PATCH 1/4] Bluetooth: Fix a redundant and problematic incoming MTU check
Date: Wed,  2 May 2012 09:41:59 -0700	[thread overview]
Message-ID: <1335976922-19456-2-git-send-email-mathewm@codeaurora.org> (raw)
In-Reply-To: <1335976922-19456-1-git-send-email-mathewm@codeaurora.org>

The L2CAP MTU for incoming data is verified differently depending on
the L2CAP mode, so the check is best performed in a mode-specific
context.  Checking the incoming MTU before HCI fragment reassembly is
a layer violation and assumes all bytes after the standard L2CAP
header are L2CAP data.

This approach causes issues with unsegmented ERTM or streaming mode
frames, where there are additional enhanced or extended headers before
the data payload and possible FCS bytes after the data payload.  A
valid frame could be as many as 10 bytes larger than the MTU.

Removing this code is the best fix, because the MTU is checked later
on for all L2CAP data frames (connectionless, basic, ERTM, and
streaming).  This also gets rid of outdated locking (socket instead of
l2cap_chan) and an extra lookup of the channel ID.

Signed-off-by: Mat Martineau <mathewm@codeaurora.org>
---
 net/bluetooth/l2cap_core.c |   20 --------------------
 1 file changed, 20 deletions(-)

diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 870116a..5d556b0 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4953,8 +4953,6 @@ int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
 
 	if (!(flags & ACL_CONT)) {
 		struct l2cap_hdr *hdr;
-		struct l2cap_chan *chan;
-		u16 cid;
 		int len;
 
 		if (conn->rx_len) {
@@ -4974,7 +4972,6 @@ int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
 
 		hdr = (struct l2cap_hdr *) skb->data;
 		len = __le16_to_cpu(hdr->len) + L2CAP_HDR_SIZE;
-		cid = __le16_to_cpu(hdr->cid);
 
 		if (len == skb->len) {
 			/* Complete frame received */
@@ -4991,23 +4988,6 @@ int l2cap_recv_acldata(struct hci_conn *hcon, struct sk_buff *skb, u16 flags)
 			goto drop;
 		}
 
-		chan = l2cap_get_chan_by_scid(conn, cid);
-
-		if (chan && chan->sk) {
-			struct sock *sk = chan->sk;
-			lock_sock(sk);
-
-			if (chan->imtu < len - L2CAP_HDR_SIZE) {
-				BT_ERR("Frame exceeding recv MTU (len %d, "
-							"MTU %d)", len,
-							chan->imtu);
-				release_sock(sk);
-				l2cap_conn_unreliable(conn, ECOMM);
-				goto drop;
-			}
-			release_sock(sk);
-		}
-
 		/* Allocate skb for the complete frame (with header) */
 		conn->rx_skb = bt_skb_alloc(len, GFP_ATOMIC);
 		if (!conn->rx_skb)
-- 
1.7.10

--
Mat Martineau
Employee of Qualcomm Innovation Center, Inc.
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum

next prev parent reply	other threads:[~2012-05-02 16:41 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-05-02 16:41 [PATCH 0/4] ERTM state machine changes, part 2 Mat Martineau
2012-05-02 16:41 ` Mat Martineau [this message]
2012-05-04 18:55   ` [PATCH 1/4] Bluetooth: Fix a redundant and problematic incoming MTU check Ulisses Furquim
2012-05-04 20:39     ` Gustavo Padovan
2012-05-04 20:37   ` Gustavo Padovan
2012-05-02 16:42 ` [PATCH 2/4] Bluetooth: Restore locking semantics when looking up L2CAP channels Mat Martineau
2012-05-04 18:58   ` Ulisses Furquim
2012-05-02 16:42 ` [PATCH 3/4] Bluetooth: Lock the L2CAP channel when sending Mat Martineau
2012-05-04 19:06   ` Ulisses Furquim
2012-05-04 21:54     ` Mat Martineau
2012-05-05  1:11       ` Ulisses Furquim
2012-05-02 16:42 ` [PATCH 4/4] Bluetooth: Refactor L2CAP ERTM and streaming transmit segmentation Mat Martineau
2012-05-04 19:12   ` Ulisses Furquim
2012-05-04 20:57   ` Gustavo Padovan
2012-05-14  9:52   ` Andrei Emeltchenko
2012-05-14 15:47     ` Mat Martineau
2012-05-02 21:40 ` [PATCH 0/4] ERTM state machine changes, part 2 Mat Martineau
2012-05-04 19:10   ` Ulisses Furquim

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:870116a dfblob:5d556b0 )
 OR (
bs:"[PATCH 1/4] Bluetooth: Fix a redundant and problematic incoming MTU check" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1335976922-19456-2-git-send-email-mathewm@codeaurora.org \
    --to=mathewm@codeaurora.org \
    --cc=andrei.emeltchenko.news@gmail.com \
    --cc=gustavo@padovan.org \
    --cc=linux-bluetooth@vger.kernel.org \
    --cc=marcel@holtmann.org \
    --cc=pkrystad@codeaurora.org \
    --cc=ulisses@profusion.mobi \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).