From: Peter Hurley <peter@hurleysoftware.com>
To: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>,
Johan Hedberg <johan.hedberg@gmail.com>,
Gianluca Anzolin <gianluca@sottospazio.it>,
Alexander Holler <holler@ahsoftware.de>,
Andrey Vihrov <andrey.vihrov@gmail.com>,
Sander Eikelenboom <linux@eikelenboom.it>,
linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org,
Peter Hurley <peter@hurleysoftware.com>
Subject: [PATCH 10/24] Bluetooth: Verify dlci not in use before rfcomm_dev create
Date: Sun, 9 Feb 2014 20:59:10 -0500 [thread overview]
Message-ID: <1391997564-1805-11-git-send-email-peter@hurleysoftware.com> (raw)
In-Reply-To: <1391997564-1805-1-git-send-email-peter@hurleysoftware.com>
Only one session/channel combination may be in use at any one
time. However, the failure does not occur until the tty is
opened (in rfcomm_dlc_open()).
Because these settings are actually bound at rfcomm device
creation (via RFCOMMCREATEDEV ioctl), validate and fail before
creating the rfcomm tty device.
Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
---
include/net/bluetooth/rfcomm.h | 1 +
net/bluetooth/rfcomm/core.c | 26 +++++++++++++++++++++++++-
net/bluetooth/rfcomm/tty.c | 8 ++++++++
3 files changed, 34 insertions(+), 1 deletion(-)
diff --git a/include/net/bluetooth/rfcomm.h b/include/net/bluetooth/rfcomm.h
index 6f3fbc5..79bb913 100644
--- a/include/net/bluetooth/rfcomm.h
+++ b/include/net/bluetooth/rfcomm.h
@@ -241,6 +241,7 @@ int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb);
int rfcomm_dlc_set_modem_status(struct rfcomm_dlc *d, u8 v24_sig);
int rfcomm_dlc_get_modem_status(struct rfcomm_dlc *d, u8 *v24_sig);
void rfcomm_dlc_accept(struct rfcomm_dlc *d);
+struct rfcomm_dlc *rfcomm_dlc_exists(bdaddr_t *src, bdaddr_t *dst, u8 channel);
#define rfcomm_dlc_lock(d) spin_lock(&d->lock)
#define rfcomm_dlc_unlock(d) spin_unlock(&d->lock)
diff --git a/net/bluetooth/rfcomm/core.c b/net/bluetooth/rfcomm/core.c
index facd8a7..646b6ff 100644
--- a/net/bluetooth/rfcomm/core.c
+++ b/net/bluetooth/rfcomm/core.c
@@ -359,6 +359,11 @@ static struct rfcomm_dlc *rfcomm_dlc_get(struct rfcomm_session *s, u8 dlci)
return NULL;
}
+static int rfcomm_check_channel(u8 channel)
+{
+ return channel < 1 || channel > 30;
+}
+
static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst, u8 channel)
{
struct rfcomm_session *s;
@@ -368,7 +373,7 @@ static int __rfcomm_dlc_open(struct rfcomm_dlc *d, bdaddr_t *src, bdaddr_t *dst,
BT_DBG("dlc %p state %ld %pMR -> %pMR channel %d",
d, d->state, src, dst, channel);
- if (channel < 1 || channel > 30)
+ if (rfcomm_check_channel(channel))
return -EINVAL;
if (d->state != BT_OPEN && d->state != BT_CLOSED)
@@ -513,6 +518,25 @@ no_session:
return r;
}
+struct rfcomm_dlc *rfcomm_dlc_exists(bdaddr_t *src, bdaddr_t *dst, u8 channel)
+{
+ struct rfcomm_session *s;
+ struct rfcomm_dlc *dlc = NULL;
+ u8 dlci;
+
+ if (rfcomm_check_channel(channel))
+ return ERR_PTR(-EINVAL);
+
+ rfcomm_lock();
+ s = rfcomm_session_get(src, dst);
+ if (s) {
+ dlci = __dlci(!s->initiator, channel);
+ dlc = rfcomm_dlc_get(s, dlci);
+ }
+ rfcomm_unlock();
+ return dlc;
+}
+
int rfcomm_dlc_send(struct rfcomm_dlc *d, struct sk_buff *skb)
{
int len = skb->len;
diff --git a/net/bluetooth/rfcomm/tty.c b/net/bluetooth/rfcomm/tty.c
index 6ea08b0..a58d693 100644
--- a/net/bluetooth/rfcomm/tty.c
+++ b/net/bluetooth/rfcomm/tty.c
@@ -385,6 +385,14 @@ static int rfcomm_create_dev(struct sock *sk, void __user *arg)
dlc = rfcomm_pi(sk)->dlc;
rfcomm_dlc_hold(dlc);
} else {
+ /* Validate the channel is unused */
+ dlc = rfcomm_dlc_exists(&req.src, &req.dst, req.channel);
+ if (IS_ERR(dlc))
+ return PTR_ERR(dlc);
+ else if (dlc) {
+ rfcomm_dlc_put(dlc);
+ return -EBUSY;
+ }
dlc = rfcomm_dlc_alloc(GFP_KERNEL);
if (!dlc)
return -ENOMEM;
--
1.8.1.2
next prev parent reply other threads:[~2014-02-10 2:27 UTC|newest]
Thread overview: 46+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-10 1:59 [PATCH 00/24] rfcomm fixes Peter Hurley
2014-02-10 1:59 ` [PATCH 01/24] Revert "Bluetooth: Remove rfcomm_carrier_raised()" Peter Hurley
2014-02-10 1:59 ` [PATCH 02/24] Revert "Bluetooth: Always wait for a connection on RFCOMM open()" Peter Hurley
2014-02-10 1:59 ` [PATCH 03/24] Revert "Bluetooth: Move rfcomm_get_device() before rfcomm_dev_activate()" Peter Hurley
2014-02-10 1:59 ` [PATCH 04/24] tty: Fix ref counting for port krefs Peter Hurley
2014-02-13 18:36 ` Greg Kroah-Hartman
2014-02-10 1:59 ` [PATCH 05/24] Bluetooth: Fix racy acquire of rfcomm_dev reference Peter Hurley
2014-02-10 1:59 ` [PATCH 06/24] Bluetooth: Exclude released devices from RFCOMMGETDEVLIST ioctl Peter Hurley
2014-02-10 1:59 ` [PATCH 07/24] Bluetooth: Release rfcomm_dev only once Peter Hurley
2014-02-10 1:59 ` [PATCH 08/24] Bluetooth: Fix unreleased rfcomm_dev reference Peter Hurley
2014-02-10 1:59 ` [PATCH 09/24] Bluetooth: Fix RFCOMM tty teardown race Peter Hurley
2014-02-10 1:59 ` Peter Hurley [this message]
2014-02-10 1:59 ` [PATCH 11/24] Bluetooth: Simplify RFCOMM session state eval Peter Hurley
2014-02-10 1:59 ` [PATCH 12/24] Bluetooth: Refactor deferred setup test in rfcomm_dlc_close() Peter Hurley
2014-02-10 1:59 ` [PATCH 13/24] Bluetooth: Refactor dlc disconnect logic " Peter Hurley
2014-02-10 1:59 ` [PATCH 14/24] Bluetooth: Directly close dlc for not yet started RFCOMM session Peter Hurley
2014-02-10 1:59 ` [PATCH 15/24] Bluetooth: Fix unsafe RFCOMM device parenting Peter Hurley
2014-02-10 1:59 ` [PATCH 16/24] Bluetooth: Fix RFCOMM parent device for reused dlc Peter Hurley
2014-02-10 1:59 ` [PATCH 17/24] Bluetooth: Rename __rfcomm_dev_get() to __rfcomm_dev_lookup() Peter Hurley
2014-02-10 1:59 ` [PATCH 18/24] Bluetooth: Serialize RFCOMMCREATEDEV and RFCOMMRELEASEDEV ioctls Peter Hurley
2014-02-10 1:59 ` [PATCH 19/24] Bluetooth: Refactor rfcomm_dev_add() Peter Hurley
2014-02-10 1:59 ` [PATCH 20/24] Bluetooth: Cleanup RFCOMM device registration error handling Peter Hurley
2014-02-10 1:59 ` [PATCH 21/24] Bluetooth: Force -EIO from tty read/write if .activate() fails Peter Hurley
2014-02-10 1:59 ` [PATCH 22/24] Bluetooth: Don't fail RFCOMM tty writes Peter Hurley
2014-02-10 1:59 ` [PATCH 23/24] Bluetooth: Refactor write_room() calculation Peter Hurley
2014-02-10 1:59 ` [PATCH 24/24] Bluetooth: Fix " Peter Hurley
2014-02-10 22:09 ` [PATCH 00/24] rfcomm fixes Marcel Holtmann
2014-02-10 23:00 ` Peter Hurley
2014-02-12 22:58 ` Marcel Holtmann
2014-02-13 0:38 ` Peter Hurley
2014-02-13 21:48 ` Alexander Holler
2014-02-12 11:06 ` Sander Eikelenboom
2014-03-03 19:38 ` Sander Eikelenboom
2014-03-10 8:38 ` [RC6 Bell Chime] " Sander Eikelenboom
2014-03-10 15:08 ` John W. Linville
2014-03-11 15:14 ` [RC6 Bell Chime] " Marcel Holtmann
2014-03-14 0:49 ` Sander Eikelenboom
2014-03-14 1:28 ` Marcel Holtmann
2014-03-14 1:29 ` Peter Hurley
2014-03-15 13:51 ` Sander Eikelenboom
2014-03-15 17:53 ` Linus Torvalds
2014-03-15 20:45 ` Peter Hurley
2014-03-15 22:20 ` Sander Eikelenboom
2014-03-16 0:16 ` Linus Torvalds
2014-02-13 21:41 ` Alexander Holler
2014-02-14 21:45 ` Marcel Holtmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1391997564-1805-11-git-send-email-peter@hurleysoftware.com \
--to=peter@hurleysoftware.com \
--cc=andrey.vihrov@gmail.com \
--cc=gianluca@sottospazio.it \
--cc=gustavo@padovan.org \
--cc=holler@ahsoftware.de \
--cc=johan.hedberg@gmail.com \
--cc=linux-bluetooth@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@eikelenboom.it \
--cc=marcel@holtmann.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox