From: mcchou@chromium.org
To: linux-bluetooth@vger.kernel.org
Cc: luiz.von.dentz@intel.com, josephsih@chromium.org,
johan.hedberg@gmail.com, Miao-chen Chou <mcchou@chromium.org>
Subject: [PATCH v2] monitor/rfcomm: Fix a potential memory access issue for compatibility with LLVM
Date: Wed, 7 Dec 2016 17:35:37 -0800 [thread overview]
Message-ID: <1481160937-148025-1-git-send-email-mcchou@chromium.org> (raw)
From: Miao-chen Chou <mcchou@chromium.org>
This patch replaces the use of struct rfcomm_rpn with local variables in
mmc_rpn() to prevent the access to an unaligned struct member. Since struct
rfcomm_rpn is only used in mmc_rpn(), its definition is removed. This patch
also introduces a temp variable in mcc_pn() to prevent unaligned access.
---
monitor/rfcomm.c | 48 +++++++++++++++++++++---------------------------
1 file changed, 21 insertions(+), 27 deletions(-)
diff --git a/monitor/rfcomm.c b/monitor/rfcomm.c
index b32ad40..6b9d355 100644
--- a/monitor/rfcomm.c
+++ b/monitor/rfcomm.c
@@ -98,16 +98,6 @@ struct rfcomm_lmsc {
uint8_t break_sig;
} __attribute__((packed));
-struct rfcomm_rpn {
- uint8_t dlci;
- uint8_t bit_rate;
- uint8_t parity;
- uint8_t io;
- uint8_t xon;
- uint8_t xoff;
- uint16_t pm;
-} __attribute__ ((packed));
-
struct rfcomm_rls {
uint8_t dlci;
uint8_t error;
@@ -198,47 +188,48 @@ done:
static inline bool mcc_rpn(struct rfcomm_frame *rfcomm_frame, uint8_t indent)
{
struct l2cap_frame *frame = &rfcomm_frame->l2cap_frame;
- struct rfcomm_rpn rpn;
+ uint8_t dlci, bit_rate, parity, io, xon, xoff;
+ uint16_t pm;
- if (!l2cap_frame_get_u8(frame, &rpn.dlci))
+ if (!l2cap_frame_get_u8(frame, &dlci))
return false;
- print_field("%*cdlci %d", indent, ' ', RFCOMM_GET_DLCI(rpn.dlci));
+ print_field("%*cdlci %d", indent, ' ', RFCOMM_GET_DLCI(dlci));
if (frame->size < 7)
goto done;
/* port value octets (optional) */
- if (!l2cap_frame_get_u8(frame, &rpn.bit_rate))
+ if (!l2cap_frame_get_u8(frame, &bit_rate))
return false;
- if (!l2cap_frame_get_u8(frame, &rpn.parity))
+ if (!l2cap_frame_get_u8(frame, &parity))
return false;
- if (!l2cap_frame_get_u8(frame, &rpn.io))
+ if (!l2cap_frame_get_u8(frame, &io))
return false;
print_field("%*cbr %d db %d sb %d p %d pt %d xi %d xo %d", indent, ' ',
- rpn.bit_rate, GET_RPN_DB(rpn.parity), GET_RPN_SB(rpn.parity),
- GET_RPN_PARITY(rpn.parity), GET_RPN_PTYPE(rpn.parity),
- GET_RPN_XIN(rpn.io), GET_RPN_XOUT(rpn.io));
+ bit_rate, GET_RPN_DB(parity), GET_RPN_SB(parity),
+ GET_RPN_PARITY(parity), GET_RPN_PTYPE(parity),
+ GET_RPN_XIN(io), GET_RPN_XOUT(io));
- if (!l2cap_frame_get_u8(frame, &rpn.xon))
+ if (!l2cap_frame_get_u8(frame, &xon))
return false;
- if (!l2cap_frame_get_u8(frame, &rpn.xoff))
+ if (!l2cap_frame_get_u8(frame, &xoff))
return false;
print_field("%*crtri %d rtro %d rtci %d rtco %d xon %d xoff %d",
- indent, ' ', GET_RPN_RTRI(rpn.io), GET_RPN_RTRO(rpn.io),
- GET_RPN_RTCI(rpn.io), GET_RPN_RTCO(rpn.io), rpn.xon,
- rpn.xoff);
+ indent, ' ', GET_RPN_RTRI(io), GET_RPN_RTRO(io),
+ GET_RPN_RTCI(io), GET_RPN_RTCO(io), xon, xoff);
- if (!l2cap_frame_get_le16(frame, &rpn.pm))
+ /* prevent unaligned memory access */
+ if (!l2cap_frame_get_le16(frame, &pm))
return false;
- print_field("%*cpm 0x%04x", indent, ' ', rpn.pm);
+ print_field("%*cpm 0x%04x", indent, ' ', pm);
done:
return true;
@@ -265,6 +256,7 @@ static inline bool mcc_pn(struct rfcomm_frame *rfcomm_frame, uint8_t indent)
{
struct l2cap_frame *frame = &rfcomm_frame->l2cap_frame;
struct rfcomm_pn pn;
+ uint16_t mtu;
/* rfcomm_pn struct is defined in rfcomm.h */
@@ -284,8 +276,10 @@ static inline bool mcc_pn(struct rfcomm_frame *rfcomm_frame, uint8_t indent)
if (!l2cap_frame_get_u8(frame, &pn.ack_timer))
return false;
- if (!l2cap_frame_get_le16(frame, &pn.mtu))
+ /* prevent unaligned memory access */
+ if (!l2cap_frame_get_le16(frame, &mtu))
return false;
+ pn.mtu = mtu;
if (!l2cap_frame_get_u8(frame, &pn.max_retrans))
return false;
--
2.8.0.rc3.226.g39d4020
next reply other threads:[~2016-12-08 1:35 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-08 1:35 mcchou [this message]
2016-12-09 9:52 ` [PATCH v2] monitor/rfcomm: Fix a potential memory access issue for compatibility with LLVM Luiz Augusto von Dentz
2016-12-09 20:59 ` [PATCH v3] " mcchou
2016-12-13 21:34 ` Miao-chen Chou
2016-12-15 12:05 ` Luiz Augusto von Dentz
2016-12-19 19:13 ` Miao-chen Chou
2016-12-20 19:12 ` Miao-chen Chou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1481160937-148025-1-git-send-email-mcchou@chromium.org \
--to=mcchou@chromium.org \
--cc=johan.hedberg@gmail.com \
--cc=josephsih@chromium.org \
--cc=linux-bluetooth@vger.kernel.org \
--cc=luiz.von.dentz@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).