From: Jian-Hong Pan <starnight@g.ncu.edu.tw>
To: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
Cc: "Andreas Färber" <afaerber@suse.de>,
"David S. Miller" <davem@davemloft.net>,
netdev@vger.kernel.org,
"<linux-arm-kernel@lists.infradead.org\\"
<linux-arm-kernel@lists.infradead.org>,
"linux-kernel@vger.kernel.org>," <linux-kernel@vger.kernel.org>,
"Marcel Holtmann" <marcel@holtmann.org>,
"Dollar Chen" <dollar.chen@wtmec.com>,
"Ken Yu" <ken.yu@rakwireless.com>,
"linux-wpan - ML" <linux-wpan@vger.kernel.org>,
"Stefan Schmidt" <stefan@datenfreihafen.org>
Subject: Re: [PATCH V4 5/6] net: maclorawan: Implement maclorawan class module
Date: Sun, 9 Dec 2018 16:27:15 +0800 [thread overview]
Message-ID: <CAC=mGziyi1ierhg++SUcHMrq1JQ0vH4gZCKUZgchzb8aD1Rv5Q@mail.gmail.com> (raw)
In-Reply-To: <20181204204508.3ebead06@alans-desktop>
I made a fake skb and passed it to lrw_parse_frame() function for
testing. I use print_hex_dump() function to show the skb's content.
Here is the original content in the skb->data and the length is 20 bytes.
[ 33.732033] 00000000: 40 04 03 02 01 00 00 00 00 27 76 d3 2d 1b 79
a0 @........'v.-.y.
[ 33.732065] 00000010: 18 38 fb a6 .8..
Byte 0: MHDR field, value is 0x40.
Byte 1 ~ 4: DevAddr field, value is 0x04 0x03 0x02 0x01.
Byte 5: FCtrl field, value is 0x00.
Byte 6 ~ 7: FCnt field, value is 0x00 0x00.
Byte 8: FPort field, value is 0x00.
Byte 9 ~ 15: Encrypted payload
Byte 16 ~ 19: MIC field value is 0x18 0x38 0xfb 0xa6.
> > +void
> > +lrw_parse_frame(struct lrw_session *ss, struct sk_buff *skb)
> > +{
> > + struct lrw_fhdr *fhdr = &ss->rx_fhdr;
> > + __le16 *p_fcnt;
> > +
> > + pr_debug("%s: %s\n", LORAWAN_MODULE_NAME, __func__);
> > +
> > + /* Get message type */
> > + fhdr->mtype = skb->data[0];
> > + skb_pull(skb, LRW_MHDR_LEN);
print_hex_dump skb here:
[ 33.732202] 00000000: 04 03 02 01 00 00 00 00 27 76 d3 2d 1b 79 a0
18 ........'v.-.y..
[ 33.732204] 00000010: 38 fb a6
> This does not seem robust. There is no point at which you actually check
> the message size is valid etc
Thanks! It is a potential bug.
It should check skb->len >= length of MHDR + DevAddr + FCtrl + FCnt + MIC.
These are required fields for (Un)confirmed Data Up/Down messages.
print_hex_dump skb here:
[ 33.732211] 00000000: 00 27 76 d3 2d 1b 79 a0 18 38 fb a6
.'v.-.y..8..
> > + fhdr->fopts_len = fhdr->fctrl & 0xF;
> > + if (fhdr->fopts_len > 0) {
> > + memcpy(fhdr->fopts, skb->data, fhdr->fopts_len);
> > + skb_pull(skb, fhdr->fopts_len);
> > + }
print_hex_dump skb here:
[ 33.732213] 00000000: 00 27 76 d3 2d 1b 79 a0 18 38 fb a6
.'v.-.y..8..
> In fact you appear to copy random kernel memory into a buffer
It copied fhdr->fopts_len bytes from skb->data to fhdr->fopts if
fhdr->fopts_len > 0.
https://www.kernel.org/doc/html/latest/core-api/kernel-api.html?highlight=memcpy#c.memcpy
> > +
> > + /* TODO: Parse frame options */
> > +
> > + /* Remove message integrity code */
> > + skb_trim(skb, skb->len - LRW_MIC_LEN);
print_hex_dump skb here:
[ 33.732216] 00000000: 00 27 76 d3 2d 1b 79 a0
.'v.-.y.
> and then try and trim the buffer to a negative size ?
It removed 4 tail bytes (MIC). (skb->len - LRW_MIC_LEN) is the final
new length as skb_trim()'s 2nd argument len.
https://www.kernel.org/doc/html/latest/networking/kapi.html?highlight=skb_trim#c.skb_trim
I found another bug which did not initialize rx_skb_list. So,
lrw_parse_frame() may be passed a mystery skb.
Please keep reviewing. That is appreciated.
Thank you,
Jian-Hong Pan
next prev parent reply other threads:[~2018-12-09 8:27 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-23 17:15 [RFC 0/3 net] lorawan: Add LoRaWAN soft MAC module Jian-Hong Pan
2018-08-23 17:15 ` [RFC 1/3 net] lorawan: Add LoRaWAN class module Jian-Hong Pan
2018-08-23 17:43 ` Randy Dunlap
2018-08-24 15:58 ` Jian-Hong Pan
2018-09-23 16:40 ` Andreas Färber
2018-09-26 15:52 ` Jian-Hong Pan
2018-11-05 16:55 ` [PATCH V2 0/7] net: lorawan: Add LoRaWAN soft MAC module Jian-Hong Pan
2018-11-05 16:55 ` [PATCH V2 1/7] net: lorawan: Add macro and definition for LoRaWAN Jian-Hong Pan
2018-11-05 16:55 ` [PATCH V2 2/7] net: lorawan: Add LoRaWAN socket module Jian-Hong Pan
2018-11-05 18:16 ` David Miller
2018-11-06 14:28 ` Jian-Hong Pan
2018-11-14 16:01 ` [PATCH V3 0/7] net: lorawan: Add LoRaWAN soft MAC module Jian-Hong Pan
2018-11-14 16:01 ` [PATCH V3 1/7] net: lorawan: Add macro and definition for LoRaWAN Jian-Hong Pan
2018-11-14 16:12 ` Andreas Färber
2018-11-17 6:47 ` Jian-Hong Pan
2018-11-14 16:01 ` [PATCH V3 2/7] net: lorawan: Add LoRaWAN socket module Jian-Hong Pan
2018-11-17 4:32 ` David Miller
2018-11-17 14:54 ` Jian-Hong Pan
2018-12-04 14:13 ` [PATCH V4 0/6] net: lorawan: Add LoRaWAN soft MAC module Jian-Hong Pan
2018-12-04 14:13 ` [PATCH V4 1/6] net: lorawan: Add LoRaWAN socket module Jian-Hong Pan
2018-12-04 14:13 ` [PATCH V4 2/6] net: lorawan: Add LoRaWAN API declaration for LoRa devices Jian-Hong Pan
2018-12-04 14:13 ` [PATCH V4 3/6] net: maclorawan: Add maclorawan module declaration Jian-Hong Pan
2018-12-04 14:13 ` [PATCH V4 4/6] net: maclorawan: Implement the crypto of maclorawan module Jian-Hong Pan
2018-12-04 14:13 ` [PATCH V4 5/6] net: maclorawan: Implement maclorawan class module Jian-Hong Pan
2018-12-04 20:45 ` Alan Cox
2018-12-09 8:27 ` Jian-Hong Pan [this message]
2018-12-16 10:18 ` [PATCH v5 0/6] net: lorawan: Add LoRaWAN soft MAC module Jian-Hong Pan
2018-12-17 13:51 ` Jiri Pirko
2018-12-16 10:18 ` [PATCH v5 1/6] net: lorawan: Add LoRaWAN socket module Jian-Hong Pan
2018-12-29 7:27 ` Andreas Färber
2019-01-07 14:47 ` Jian-Hong Pan
2019-01-13 14:51 ` Jian-Hong Pan
2018-12-16 10:18 ` [PATCH v5 2/6] net: lorawan: Add LoRaWAN API declaration for LoRa devices Jian-Hong Pan
2018-12-16 10:18 ` [PATCH v5 3/6] net: maclorawan: Add maclorawan module declaration Jian-Hong Pan
2018-12-16 10:18 ` [PATCH v5 4/6] net: maclorawan: Implement the crypto of maclorawan module Jian-Hong Pan
2018-12-16 10:18 ` [PATCH v5 5/6] net: maclorawan: Implement maclorawan class module Jian-Hong Pan
2018-12-17 14:02 ` Jiri Pirko
2018-12-18 14:27 ` Jian-Hong Pan
2018-12-18 14:27 ` Jiri Pirko
2018-12-18 15:34 ` Jian-Hong Pan
2018-12-18 18:49 ` Andreas Färber
2018-12-19 11:27 ` Ben Whitten
2018-12-19 16:26 ` Jian-Hong Pan
2018-12-20 9:20 ` Xue Liu
2018-12-20 16:00 ` Jian-Hong Pan
2018-12-28 8:11 ` Netlink userspace tools for LoRa(WAN), FSK, Sigfox, BLE, etc. (was: [PATCH v5 5/6] net: maclorawan: Implement maclorawan class module) Andreas Färber
2018-12-28 15:49 ` Alexander Aring
2018-12-20 10:19 ` [PATCH v5 5/6] net: maclorawan: Implement maclorawan class module Ben Whitten
2018-12-20 15:31 ` Andreas Färber
2018-12-16 10:19 ` [PATCH v5 6/6] net: lorawan: List LORAWAN in menuconfig Jian-Hong Pan
2018-12-17 8:50 ` Xue Liu
2018-12-17 14:19 ` Andreas Färber
2018-12-18 13:50 ` Xue Liu
2018-12-24 15:32 ` Alexander Aring
2018-12-28 4:57 ` Andreas Färber
2018-12-28 15:43 ` Alexander Aring
2018-12-29 6:28 ` Andreas Färber
2018-12-04 14:13 ` [PATCH V4 " Jian-Hong Pan
2018-11-14 16:01 ` [PATCH V3 3/7] net: lorawan: Add LoRaWAN API declaration for LoRa devices Jian-Hong Pan
2018-11-14 16:01 ` [PATCH V3 4/7] net: maclorawan: Add maclorawan module declaration Jian-Hong Pan
2018-11-17 4:32 ` David Miller
2018-11-17 6:32 ` Jian-Hong Pan
2018-11-14 16:01 ` [PATCH V3 5/7] net: maclorawan: Implement the crypto of maclorawan module Jian-Hong Pan
2018-11-14 16:01 ` [PATCH V3 6/7] net: maclorawan: Implement maclorawan class module Jian-Hong Pan
2018-11-14 16:01 ` [PATCH V3 7/7] net: lorawan: List LORAWAN in menuconfig Jian-Hong Pan
2018-11-05 16:55 ` [PATCH V2 3/7] net: lorawan: Add LoRaWAN API declaration for LoRa devices Jian-Hong Pan
2018-11-05 16:55 ` [PATCH V2 4/7] net: maclorawan: Add maclorawan module declaration Jian-Hong Pan
2018-11-05 16:55 ` [PATCH V2 5/7] net: maclorawan: Implement the crypto of maclorawan module Jian-Hong Pan
2018-11-05 16:55 ` [PATCH V2 6/7] net: maclorawan: Implement maclorawan class module Jian-Hong Pan
2018-11-05 16:55 ` [PATCH V2 7/7] net: lorawan: List LORAWAN in menuconfig Jian-Hong Pan
2018-08-23 17:15 ` [RFC 2/3 net] lorawan: Add macro and definition for LoRaWAN class modlue Jian-Hong Pan
2018-09-23 16:06 ` Andreas Färber
2018-09-26 14:46 ` Jian-Hong Pan
2018-08-23 17:15 ` [RFC 3/3 net] lorawan: List LORAWAN in menuconfig Jian-Hong Pan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAC=mGziyi1ierhg++SUcHMrq1JQ0vH4gZCKUZgchzb8aD1Rv5Q@mail.gmail.com' \
--to=starnight@g.ncu.edu.tw \
--cc=afaerber@suse.de \
--cc=davem@davemloft.net \
--cc=dollar.chen@wtmec.com \
--cc=gnomes@lxorguk.ukuu.org.uk \
--cc=ken.yu@rakwireless.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wpan@vger.kernel.org \
--cc=marcel@holtmann.org \
--cc=netdev@vger.kernel.org \
--cc=stefan@datenfreihafen.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).