From: Andrei Emeltchenko <Andrei.Emeltchenko.news@gmail.com>
To: linux-bluetooth@vger.kernel.org
Subject: Re: [PATCHv2 01/10] monitor: Fix segmentation fault with malformed packet
Date: Tue, 12 Aug 2014 10:55:41 +0300 [thread overview]
Message-ID: <20140812075535.GC10034@aemeltch-MOBL1> (raw)
In-Reply-To: <20140811132233.GA27174@t440s>
Hi Johan,
On Mon, Aug 11, 2014 at 04:22:33PM +0300, Johan Hedberg wrote:
> Hi Andrei,
>
> On Mon, Aug 11, 2014, Andrei Emeltchenko wrote:
> > Do not allow to read more then buffer size.
> > This fixes segmentation fault reading capture from target (apparently
> > end of the trace was broken).
> > ---
> > monitor/btsnoop.c | 7 +++++++
> > src/shared/btsnoop.c | 5 +++++
> > src/shared/btsnoop.h | 2 ++
> > 3 files changed, 14 insertions(+)
> >
> > diff --git a/monitor/btsnoop.c b/monitor/btsnoop.c
> > index fafeff8..ec19812 100644
> > --- a/monitor/btsnoop.c
> > +++ b/monitor/btsnoop.c
> > @@ -304,6 +304,13 @@ int btsnoop_read_hci(struct timeval *tv, uint16_t *index, uint16_t *opcode,
> > }
> >
> > toread = be32toh(pkt.size);
> > + if (toread > MAX_PACKET_SIZE) {
> > + perror("Packet len suspicially big: %u", toread);
> > + close(btsnoop_fd);
> > + btsnoop_fd = -1;
> > + return -1;
> > + }
> > +
> > flags = be32toh(pkt.flags);
> >
> > ts = be64toh(pkt.ts) - 0x00E03AB44A676000ll;
> > diff --git a/src/shared/btsnoop.c b/src/shared/btsnoop.c
> > index 17a872c..521be10 100644
> > --- a/src/shared/btsnoop.c
> > +++ b/src/shared/btsnoop.c
> > @@ -415,6 +415,11 @@ bool btsnoop_read_hci(struct btsnoop *btsnoop, struct timeval *tv,
> > }
> >
> > toread = be32toh(pkt.size);
> > + if (toread > MAX_PACKET_SIZE) {
> > + btsnoop->aborted = true;
> > + return false;
> > + }
> > +
> > flags = be32toh(pkt.flags);
> >
> > ts = be64toh(pkt.ts) - 0x00E03AB44A676000ll;
>
> The above two chunks should probably be in separate patches. One for
> shared/btsnoop and the other for btmon.
OK.
>
> > diff --git a/src/shared/btsnoop.h b/src/shared/btsnoop.h
> > index 2c55d02..9f73913 100644
> > --- a/src/shared/btsnoop.h
> > +++ b/src/shared/btsnoop.h
> > @@ -44,6 +44,8 @@
> > #define BTSNOOP_OPCODE_SCO_TX_PKT 6
> > #define BTSNOOP_OPCODE_SCO_RX_PKT 7
> >
> > +#define MAX_PACKET_SIZE (1486 + 4)
>
> Where does this number come from? At least provide an explanation in the
> form of a code comment so that the reader can determine that it is
> correct. Also, you're violating the name space used by this header file.
> Everything else in it is prefixed by btsnoop_* or BTSNOOP_*.
MAX_PACKET_SIZE is defined in many places and NEVER explained.
1 45 android/bluetoothd-snoop.c <<MAX_PACKET_SIZE>>
#define MAX_PACKET_SIZE (1486 + 4)
2 42 monitor/analyze.c <<MAX_PACKET_SIZE>>
#define MAX_PACKET_SIZE (1486 + 4)
3 55 monitor/control.c <<MAX_PACKET_SIZE>>
#define MAX_PACKET_SIZE (1486 + 4)
4 47 src/shared/btsnoop.h <<MAX_PACKET_SIZE>>
#define MAX_PACKET_SIZE (1486 + 4)
Maybe insetad of btsnoop.h I define it in src/shared/btsnoop.c
Best regards
Andrei Emeltchenko
next prev parent reply other threads:[~2014-08-12 7:55 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-08-11 7:50 [PATCHv2 01/10] monitor: Fix segmentation fault with malformed packet Andrei Emeltchenko
2014-08-11 7:50 ` [PATCHv2 02/10] monitor: Handle default switch case Andrei Emeltchenko
2014-08-11 13:25 ` Johan Hedberg
2014-08-11 7:50 ` [PATCHv2 03/10] emulator: Fix resource leak closing fd Andrei Emeltchenko
2014-08-11 7:50 ` [PATCHv2 04/10] tools: Fix resource leak closing sk Andrei Emeltchenko
2014-08-11 7:50 ` [PATCHv2 05/10] gobex: Fix use after free Andrei Emeltchenko
2014-08-11 7:50 ` [PATCHv2 06/10] " Andrei Emeltchenko
2014-08-11 7:50 ` [PATCHv2 07/10] " Andrei Emeltchenko
2014-08-11 7:50 ` [PATCHv2 08/10] proximity: " Andrei Emeltchenko
2014-08-11 7:50 ` [PATCHv2 09/10] gdbus: " Andrei Emeltchenko
2014-08-11 7:50 ` [PATCHv2 10/10] obexd: Fix possible NULL dereference Andrei Emeltchenko
2014-08-11 13:37 ` Johan Hedberg
2014-08-12 7:57 ` Andrei Emeltchenko
2014-08-11 13:22 ` [PATCHv2 01/10] monitor: Fix segmentation fault with malformed packet Johan Hedberg
2014-08-12 7:55 ` Andrei Emeltchenko [this message]
2014-08-12 9:04 ` Johan Hedberg
2014-08-12 12:46 ` [PATCHv3 1/5] monitor: Use common maximum packet size definition Andrei Emeltchenko
2014-08-12 12:46 ` [PATCHv3 2/5] shared/btsnoop: Fix segmentation fault with malformed packet Andrei Emeltchenko
2014-08-12 12:46 ` [PATCHv3 3/5] btmon: " Andrei Emeltchenko
2014-08-12 12:46 ` [PATCHv3 4/5] monitor: Handle default switch case Andrei Emeltchenko
2014-08-13 9:19 ` Johan Hedberg
2014-08-13 11:32 ` [PATCHv4] " Andrei Emeltchenko
2014-08-13 11:42 ` Johan Hedberg
2014-08-12 12:46 ` [PATCHv3 5/5] obexd: Fix possible NULL dereference Andrei Emeltchenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140812075535.GC10034@aemeltch-MOBL1 \
--to=andrei.emeltchenko.news@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).