Linux-Can Archive on lore.kernel.org
 help / color / Atom feed
From: Oliver Hartkopp <socketcan@hartkopp.net>
To: Vincent MAILHOL <mailhol.vincent@wanadoo.fr>
Cc: "Marc Kleine-Budde" <mkl@pengutronix.de>,
	linux-can@vger.kernel.org, kernel@pengutronix.de,
	"Stéphane Grosjean" <s.grosjean@peak-system.com>
Subject: Re: [net-rfc 04/16] can: dev: can_get_len(): add a helper function to get the correct length of Classical frames
Date: Thu, 22 Oct 2020 09:15:19 +0200
Message-ID: <0087f8a4-c77c-cc13-b17d-bd9666837ee3@hartkopp.net> (raw)
In-Reply-To: <CAMZ6RqJ8=T8CAhYaa8PZs5-d2zhx1_15wMe7ohUZovvqTcgW0w@mail.gmail.com>



On 22.10.20 05:30, Vincent MAILHOL wrote:
> On 21.10.21 02:52, Oliver Hartkopp wrote:
>> On 21.10.20 13:55, Vincent MAILHOL wrote:
>>>> On 21.10.20 18:48, Oliver Hartkopp wrote:
>>
>>>> To be more compatible to non raw dlc CAN frame sources the tx handling
>>>> could also be like this:
>>>>
>>>> if ((can_dlc == CAN_MAX_DLEN) &&
>>>>        (raw_dlc >= CAN_MAX_DLC && raw_dlc <= CAN_MAX_RAW_DLC))
>>>> => use raw_dlc
>>>>
> 
> In addition to that, we would have to decide what to do with malformed
> frames. If can_dlc and can_raw are set to contradictory values, do we
> drop the frame, do we just ignore the raw_dlc? For example, if can_dlc
> is 8 but raw_dlc is 2, I think that we should drop.

The pseudo code is pretty clear on this: Use can_dlc.

The nice thing about testing raw_dlc to be 9..15 when can_dlc == 8 is, 
that we always have a correct CAN frame on the wire with 8 bytes of content.

Ok, the raw_dlc might be an uninitialized value - but still everything 
remains fine for operation. So why dropping frames here?

The problem of uninitialized values could be solved with a 
CAN_RAW_RAW_DLC sockopt BUT you will be always able to send a CAN frame 
with an AF_PACKET socket which has no CAN_RAW_RAW_DLC sockopt.

And then?

The above pseudo code together with CAN_CTRLMODE_RAW_DLC seems to be a 
pretty safe option to me. Even if 'legacy' applications with 
uninitialized raw_dlc send CAN frames or AF_PACKET users enable 
CAN_CTRLMODE_RAW_DLC we always end up with a proper can_dlc == 8  and a 
fitting valid raw_dlc.

> 
> If we go this direction, I would propose below logic:
> 
>   1. if raw_dlc equals can_dlc: nominal case.

Is not tested. We would start on testing can_dlc == 8

> 
>   2. if can_dlc equals 8 and raw_dlc is greater than 8: use raw_dlc
>      case, already covered in your code.

ACK

>   3. if raw_dlc is 0, then consider it as unset: overwrite raw_dlc with
>      can_dlc (so that it becomes case 1).

Is not tested like this. We would start on can_dlc == 8 - and then check 
for valid raw_dlc 9..15

> 
>   4. Other scenarios: the frame is malformed: drop it.

No dropping.

> Logic should apply for both Tx and Rx paths.

So test for can_dlc == 8 - and then check for valid raw_dlc 9..15 in the 
user space?! Fine.

Btw. we can make sure that we do not have uninitialized raw_dlc value in 
the rx path in the enabled drivers. In fact you could always use the 
raw_dlc then.

BUT it makes sense to use this test to detect cases, where someone 
forgot to switch on CAN_CTRLMODE_RAW_DLC or the driver doesn't support 
it and the programmer did not check the ctrlmode netlink return values.

> Then, the drivers/users would only have to manage scenarios 1 and 2
> (and 2 can be ignored if CAN_CTRLMODE_RAW_DLC is not advertised).
> 
>>>
>>> If I understand well, the idea would be not to use a setsockopt() but
>>> instead rely on some logic on the can_dlc and raw_dlc to determine
>>> which one to use.
>>>
>>> Unfortunately, this approach has one issue in the TX path that could
>>> break existing applications.
>>>
>>> Consider below code (which I think is fairly realistic):
>>>
>>> void send_frame (int soc, canid_t can_id, char *data, size_t len)
>>> {
>>>       struct can_frame cf;
>>>       size_t dlc = len > sizeof(cf.data) ? sizeof(cf.data) : len;
>>>
>>>       cf.can_id = can_id;
>>>       cf.can_dlc = dlc;
>>>       memcpy(cf.data, data, dlc);
>>>
>>>       write(soc, &cf, sizeof(cf));
>>> }
>>>
>>> Here, the user did not initialize the can frame (cf) but assigned all
>>> the relevant fields manually. Because cf is not initialized, the newly
>>> introduced cf.dlc_raw field would have any of the values which was
>>> present on the stack at the moment (rationale: the C standard does not
>>> guarantee zero initialization). If 9 <= raw_dlc <= 15, the can frame
>>> will be transmitted with a bad DLC value. If raw_dlc > 15, the can
>>> frame will be discarded.
>>
>> No, this is not what I wrote. With my suggestion you need to populate
>> both dlc elements to use the new "raw dlc" feature.
>>
>> if (can_dlc == 8) && (9 <= raw_dlc <= 15)
>> => put raw_dlc value into the controller register
>> else
>> => put can_dlc value into the controller register
>>
>> When you have a test system to make security tests and you enable
>> CAN_CTRLMODE_RAW_DLC on a specific CAN interface - which applications
>> would you run to send CAN frames on this interface?
>>
>> I assume only the test application which is really aware of setting
>> can_dlc and raw_dlc correctly.
> 
> My point is that this assumption is dangerous.
> 
> I do not think I made myself clear. I am speaking about old "non-DLC
> aware" code running in CAN_CTRLMODE_RAW_DLC context.
> 
> Consider two applications: the first application is a test application
> which is "DLC aware", the second is a legacy application which
> contains the code which I presented in my previous message.
> 
> A user who wants to run both in parallel sets CAN_CTRLMODE_RAW_DLC at
> netlink level. First application works fine, second application which
> contains the legacy code gets impacted as explained previously and
> stops behaving as intended.
> 
> Newly introduced option should not break existing code regardless
> why. In opposition, we can introduce new rules if these are strictly
> tied to the new option.

Yes but it doesn't help you with AF_PACKET.

> In my mind, imposing a rule that old code should not be used in
> CAN_CTRLMODE_RAW_DLC context would create a huge pitfall and would
> violate the "don't break userland" principle.

CAN_RAW_RAW_DLC could help in the case of legacy code only when they are 
using CAN_RAW sockets. But nothing more.

Therefore we need the robustness on driver level with the checking of 
can_dlc == 8.

(..)

>>> For userland, I think that this is acceptable because the very instant
>>> the user calls setsockopt() with the CAN_RAW_RAW_DLC, he should be
>>> aware of the consequences and should resign to use can_dlc field as a
>>> plain length.
>>
>> Not filling can_dlc would cause tons of changes for sanity checks and
>> feature switches.
> 
> I never spoke about "not filling can_dlc". My point is to not use it
> as a length but use it as a DLC according to ISO definition. In my
> approach, can_dlc should always be filled with the raw DLC value.

Ok, let me rephrase: Filling can_dlc with something else than a plain 
length information 0..8 ;-)

(..)

>> The 14 year old documentation in can.h says:
>> @can_dlc: frame payload length in byte (0 .. 8)
>>
>> I will not break this established rule for a testing feature. The
>> question from Joakim clearly showed: Don't touch this!
> 
> My point is this is an expert feature: if you do not understand it, do
> not use it and you are safe to go using the 14 years old definition.

Full ACK - but you can't imagine what people do in the real world. Do 
you know these 'more helps more' guys that switch everything to 'on'? :-D

The approach with CAN_CTRLMODE_RAW_DLC and the described testing would 
be even robust against unintended miss-use.

>> At the end it would have made more sense to call it can_frame.len in the
>> first place. But this first came into our mind when CAN FD showed up.
>> The discussion about the can_dlc meaning can be closed IMO. It is a
>> plain length from 0..8 which is unfortunately named can_dlc.
> 
> I agree that it should have been named len from the beginning, but as
> a matter of fact it has been named "can_dlc". For me as a user, I
> expect can_dlc to follow the DLC definition in ISO and so I *prefer*
> to opt for the compromise of losing the plain length property rather
> than losing the semantic meaning.

I don't think you can claim to be a standard user. You are an expert for 
security testing and digged into the ISO standard and intentionally 
write DLC values >8 into controller registers. Users don't do things 
like this ;-)

Clean-up and renaming typically ends when it breaks APIs and commonly 
followed rules. There are many examples in Linux where these clean-up 
attempts have been canceled for these reasons.

I would have liked to rename can_dlc to len too.
But now that we have a compatible canfd_frame which can contain a 
can_frame this is somehow settled: can_dlc == len.

> I would like to conclude by saying that I do necessarily think that
> your approach of raw_dlc field is bad (if used in combination with the
> setsockopt()). It has its pros and cons. However, if you ask me for
> feedback, *my answer* is that *I prefer* to use can_dlc as a DLC. But
> at the end of the day, I would be happy if the feature gets
> implemented, regardless how, so that I can do my testing :-)

So let's see how we can get there best :-)

Best regards,
Oliver

  reply index

Thread overview: 45+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-19 19:05 [RFC]: can 2020-10-19 Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 01/16] can: proc: can_remove_proc(): silence remove_proc_entry warning Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 02/16] can: rx-offload: don't call kfree_skb() from IRQ context Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 03/16] can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard " Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 04/16] can: dev: can_get_len(): add a helper function to get the correct length of Classical frames Marc Kleine-Budde
2020-10-19 20:35   ` Oliver Hartkopp
2020-10-20  6:35     ` Marc Kleine-Budde
2020-10-20 11:30       ` Vincent Mailhol
2020-10-20 11:48         ` Marc Kleine-Budde
2020-10-20 12:38         ` Oliver Hartkopp
2020-10-20 15:02           ` Marc Kleine-Budde
2020-10-20 16:07           ` Vincent Mailhol
2020-10-20 17:04             ` Oliver Hartkopp
2020-10-20 18:50               ` Marc Kleine-Budde
2020-10-21  0:52               ` Vincent Mailhol
2020-10-21  6:23                 ` Vincent MAILHOL
2020-10-21  7:11                   ` Joakim Zhang
2020-10-21  7:21                     ` Marc Kleine-Budde
2020-10-21  7:48                       ` Joakim Zhang
2020-10-21  9:21                   ` Oliver Hartkopp
2020-10-21  9:48                     ` Oliver Hartkopp
2020-10-21 11:55                     ` Vincent MAILHOL
2020-10-21 17:52                       ` Oliver Hartkopp
2020-10-22  3:30                         ` Vincent MAILHOL
2020-10-22  7:15                           ` Oliver Hartkopp [this message]
2020-10-22 12:23                             ` Vincent MAILHOL
2020-10-22 13:28                               ` Oliver Hartkopp
2020-10-22 15:46                                 ` Vincent MAILHOL
2020-10-22 17:06                                   ` Oliver Hartkopp
2020-10-23 10:36                                     ` Vincent MAILHOL
2020-10-23 16:47                                       ` Oliver Hartkopp
2020-10-24  5:25                                         ` Vincent MAILHOL
2020-10-24 11:31                                           ` Oliver Hartkopp
2020-10-19 19:05 ` [net-rfc 05/16] can: dev: __can_get_echo_skb(): fix the returned length of CAN frame Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 06/16] can: can_create_echo_skb(): fix echo skb generation: always use skb_clone() Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 07/16] can: j1939: j1939_sk_bind(): return failure if netdev is down Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 08/16] can: isotp: Explain PDU in CAN_ISOTP help text Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 09/16] can: isotp: enable RX timeout handling in listen-only mode Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 10/16] can: ti_hecc: add missed clk_disable_unprepare() in error path Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 11/16] can: xilinx_can: handle failure cases of pm_runtime_get_sync Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 12/16] can: peak_usb: fix timestamp wrapping Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 13/16] can: peak_canfd: fix echo management when loopback is on Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 14/16] can: mcp251xfd: mcp251xfd_regmap_crc_read(): increase severity of CRC read error messages Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 15/16] can: mcp251xfd: mcp251xfd_regmap_nocrc_read(): fix semicolon.cocci warnings Marc Kleine-Budde
2020-10-19 19:05 ` [net-rfc 16/16] can: mcp251xfd: remove unneeded break Marc Kleine-Budde

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0087f8a4-c77c-cc13-b17d-bd9666837ee3@hartkopp.net \
    --to=socketcan@hartkopp.net \
    --cc=kernel@pengutronix.de \
    --cc=linux-can@vger.kernel.org \
    --cc=mailhol.vincent@wanadoo.fr \
    --cc=mkl@pengutronix.de \
    --cc=s.grosjean@peak-system.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Can Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-can/0 linux-can/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-can linux-can/ https://lore.kernel.org/linux-can \
		linux-can@vger.kernel.org
	public-inbox-index linux-can

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-can


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git