Linux-WPAN Archive on lore.kernel.org
 help / color / Atom feed
From: Jian-Hong Pan <starnight@g.ncu.edu.tw>
To: Alan Cox <gnomes@lxorguk.ukuu.org.uk>
Cc: "Andreas Färber" <afaerber@suse.de>,
	"David S. Miller" <davem@davemloft.net>,
	netdev@vger.kernel.org,
	"<linux-arm-kernel@lists.infradead.org\\"
	<linux-arm-kernel@lists.infradead.org>,
	"linux-kernel@vger.kernel.org>," <linux-kernel@vger.kernel.org>,
	"Marcel Holtmann" <marcel@holtmann.org>,
	"Dollar Chen" <dollar.chen@wtmec.com>,
	"Ken Yu" <ken.yu@rakwireless.com>,
	"linux-wpan - ML" <linux-wpan@vger.kernel.org>,
	"Stefan Schmidt" <stefan@datenfreihafen.org>
Subject: Re: [PATCH V4 5/6] net: maclorawan: Implement maclorawan class module
Date: Sun, 9 Dec 2018 16:27:15 +0800
Message-ID: <CAC=mGziyi1ierhg++SUcHMrq1JQ0vH4gZCKUZgchzb8aD1Rv5Q@mail.gmail.com> (raw)
In-Reply-To: <20181204204508.3ebead06@alans-desktop>

I made a fake skb and passed it to lrw_parse_frame() function for
testing.  I use print_hex_dump() function to show the skb's content.
Here is the original content in the skb->data and the length is 20 bytes.

[   33.732033] 00000000: 40 04 03 02 01 00 00 00 00 27 76 d3 2d 1b 79
a0  @........'v.-.y.
[   33.732065] 00000010: 18 38 fb a6                                      .8..

Byte 0: MHDR field, value is 0x40.
Byte 1 ~ 4: DevAddr field, value is 0x04 0x03 0x02 0x01.
Byte 5: FCtrl field, value is 0x00.
Byte 6 ~ 7: FCnt field, value is 0x00 0x00.
Byte 8: FPort field, value is 0x00.
Byte 9 ~ 15: Encrypted payload
Byte 16 ~ 19: MIC field value is 0x18 0x38 0xfb 0xa6.

> > +void
> > +lrw_parse_frame(struct lrw_session *ss, struct sk_buff *skb)
> > +{
> > +     struct lrw_fhdr *fhdr = &ss->rx_fhdr;
> > +     __le16 *p_fcnt;
> > +
> > +     pr_debug("%s: %s\n", LORAWAN_MODULE_NAME, __func__);
> > +
> > +     /* Get message type */
> > +     fhdr->mtype = skb->data[0];
> > +     skb_pull(skb, LRW_MHDR_LEN);

print_hex_dump skb here:
[   33.732202] 00000000: 04 03 02 01 00 00 00 00 27 76 d3 2d 1b 79 a0
18  ........'v.-.y..
[   33.732204] 00000010: 38 fb a6

> This does not seem robust. There is no point at which you actually check
> the message size is valid etc

Thanks!  It is a potential bug.
It should check skb->len >= length of MHDR + DevAddr + FCtrl + FCnt + MIC.
These are required fields for (Un)confirmed Data Up/Down messages.


print_hex_dump skb here:
[   33.732211] 00000000: 00 27 76 d3 2d 1b 79 a0 18 38 fb a6
   .'v.-.y..8..

> > +     fhdr->fopts_len = fhdr->fctrl & 0xF;
> > +     if (fhdr->fopts_len > 0) {
> > +             memcpy(fhdr->fopts, skb->data, fhdr->fopts_len);
> > +             skb_pull(skb, fhdr->fopts_len);
> > +     }

print_hex_dump skb here:
[   33.732213] 00000000: 00 27 76 d3 2d 1b 79 a0 18 38 fb a6
   .'v.-.y..8..

> In fact you appear to copy random kernel memory into a buffer

It copied fhdr->fopts_len bytes from skb->data to fhdr->fopts if
fhdr->fopts_len > 0.
https://www.kernel.org/doc/html/latest/core-api/kernel-api.html?highlight=memcpy#c.memcpy

> > +
> > +     /* TODO: Parse frame options */
> > +
> > +     /* Remove message integrity code */
> > +     skb_trim(skb, skb->len - LRW_MIC_LEN);

print_hex_dump skb here:
[   33.732216] 00000000: 00 27 76 d3 2d 1b 79 a0
   .'v.-.y.

> and then try and trim the buffer to a negative size ?

It removed 4 tail bytes (MIC).  (skb->len - LRW_MIC_LEN) is the final
new length as skb_trim()'s 2nd argument len.
https://www.kernel.org/doc/html/latest/networking/kapi.html?highlight=skb_trim#c.skb_trim

I found another bug which did not initialize rx_skb_list.  So,
lrw_parse_frame() may be passed a mystery skb.

Please keep reviewing.  That is appreciated.

Thank you,
Jian-Hong Pan

  reply index

Thread overview: 74+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-08-23 17:15 [RFC 0/3 net] lorawan: Add LoRaWAN soft MAC module Jian-Hong Pan
2018-08-23 17:15 ` [RFC 1/3 net] lorawan: Add LoRaWAN class module Jian-Hong Pan
2018-08-23 17:43   ` Randy Dunlap
2018-08-24 15:58     ` Jian-Hong Pan
2018-09-23 16:40   ` Andreas Färber
2018-09-26 15:52     ` Jian-Hong Pan
2018-11-05 16:55   ` [PATCH V2 0/7] net: lorawan: Add LoRaWAN soft MAC module Jian-Hong Pan
2018-11-05 16:55   ` [PATCH V2 1/7] net: lorawan: Add macro and definition for LoRaWAN Jian-Hong Pan
2018-11-05 16:55   ` [PATCH V2 2/7] net: lorawan: Add LoRaWAN socket module Jian-Hong Pan
2018-11-05 18:16     ` David Miller
2018-11-06 14:28       ` Jian-Hong Pan
2018-11-14 16:01       ` [PATCH V3 0/7] net: lorawan: Add LoRaWAN soft MAC module Jian-Hong Pan
2018-11-14 16:01       ` [PATCH V3 1/7] net: lorawan: Add macro and definition for LoRaWAN Jian-Hong Pan
2018-11-14 16:12         ` Andreas Färber
2018-11-17  6:47           ` Jian-Hong Pan
2018-11-14 16:01       ` [PATCH V3 2/7] net: lorawan: Add LoRaWAN socket module Jian-Hong Pan
2018-11-17  4:32         ` David Miller
2018-11-17 14:54           ` Jian-Hong Pan
2018-12-04 14:13             ` [PATCH V4 0/6] net: lorawan: Add LoRaWAN soft MAC module Jian-Hong Pan
2018-12-04 14:13             ` [PATCH V4 1/6] net: lorawan: Add LoRaWAN socket module Jian-Hong Pan
2018-12-04 14:13             ` [PATCH V4 2/6] net: lorawan: Add LoRaWAN API declaration for LoRa devices Jian-Hong Pan
2018-12-04 14:13             ` [PATCH V4 3/6] net: maclorawan: Add maclorawan module declaration Jian-Hong Pan
2018-12-04 14:13             ` [PATCH V4 4/6] net: maclorawan: Implement the crypto of maclorawan module Jian-Hong Pan
2018-12-04 14:13             ` [PATCH V4 5/6] net: maclorawan: Implement maclorawan class module Jian-Hong Pan
2018-12-04 20:45               ` Alan Cox
2018-12-09  8:27                 ` Jian-Hong Pan [this message]
2018-12-16 10:18                   ` [PATCH v5 0/6] net: lorawan: Add LoRaWAN soft MAC module Jian-Hong Pan
2018-12-17 13:51                     ` Jiri Pirko
2018-12-16 10:18                   ` [PATCH v5 1/6] net: lorawan: Add LoRaWAN socket module Jian-Hong Pan
2018-12-29  7:27                     ` Andreas Färber
2019-01-07 14:47                       ` Jian-Hong Pan
2019-01-13 14:51                         ` Jian-Hong Pan
2018-12-16 10:18                   ` [PATCH v5 2/6] net: lorawan: Add LoRaWAN API declaration for LoRa devices Jian-Hong Pan
2018-12-16 10:18                   ` [PATCH v5 3/6] net: maclorawan: Add maclorawan module declaration Jian-Hong Pan
2018-12-16 10:18                   ` [PATCH v5 4/6] net: maclorawan: Implement the crypto of maclorawan module Jian-Hong Pan
2018-12-16 10:18                   ` [PATCH v5 5/6] net: maclorawan: Implement maclorawan class module Jian-Hong Pan
2018-12-17 14:02                     ` Jiri Pirko
2018-12-18 14:27                       ` Jian-Hong Pan
2018-12-18 14:27                         ` Jiri Pirko
2018-12-18 15:34                           ` Jian-Hong Pan
2018-12-18 18:49                         ` Andreas Färber
2018-12-19 11:27                           ` Ben Whitten
2018-12-19 16:26                             ` Jian-Hong Pan
2018-12-20  9:20                               ` Xue Liu
2018-12-20 16:00                                 ` Jian-Hong Pan
2018-12-28  8:11                                   ` Netlink userspace tools for LoRa(WAN), FSK, Sigfox, BLE, etc. (was: [PATCH v5 5/6] net: maclorawan: Implement maclorawan class module) Andreas Färber
2018-12-28 15:49                                     ` Alexander Aring
2018-12-20 10:19                               ` [PATCH v5 5/6] net: maclorawan: Implement maclorawan class module Ben Whitten
2018-12-20 15:31                                 ` Andreas Färber
2018-12-16 10:19                   ` [PATCH v5 6/6] net: lorawan: List LORAWAN in menuconfig Jian-Hong Pan
2018-12-17  8:50                     ` Xue Liu
2018-12-17 14:19                       ` Andreas Färber
2018-12-18 13:50                         ` Xue Liu
2018-12-24 15:32                           ` Alexander Aring
2018-12-28  4:57                             ` Andreas Färber
2018-12-28 15:43                               ` Alexander Aring
2018-12-29  6:28                                 ` Andreas Färber
2018-12-04 14:13             ` [PATCH V4 " Jian-Hong Pan
2018-11-14 16:01       ` [PATCH V3 3/7] net: lorawan: Add LoRaWAN API declaration for LoRa devices Jian-Hong Pan
2018-11-14 16:01       ` [PATCH V3 4/7] net: maclorawan: Add maclorawan module declaration Jian-Hong Pan
2018-11-17  4:32         ` David Miller
2018-11-17  6:32           ` Jian-Hong Pan
2018-11-14 16:01       ` [PATCH V3 5/7] net: maclorawan: Implement the crypto of maclorawan module Jian-Hong Pan
2018-11-14 16:01       ` [PATCH V3 6/7] net: maclorawan: Implement maclorawan class module Jian-Hong Pan
2018-11-14 16:01       ` [PATCH V3 7/7] net: lorawan: List LORAWAN in menuconfig Jian-Hong Pan
2018-11-05 16:55   ` [PATCH V2 3/7] net: lorawan: Add LoRaWAN API declaration for LoRa devices Jian-Hong Pan
2018-11-05 16:55   ` [PATCH V2 4/7] net: maclorawan: Add maclorawan module declaration Jian-Hong Pan
2018-11-05 16:55   ` [PATCH V2 5/7] net: maclorawan: Implement the crypto of maclorawan module Jian-Hong Pan
2018-11-05 16:55   ` [PATCH V2 6/7] net: maclorawan: Implement maclorawan class module Jian-Hong Pan
2018-11-05 16:55   ` [PATCH V2 7/7] net: lorawan: List LORAWAN in menuconfig Jian-Hong Pan
2018-08-23 17:15 ` [RFC 2/3 net] lorawan: Add macro and definition for LoRaWAN class modlue Jian-Hong Pan
2018-09-23 16:06   ` Andreas Färber
2018-09-26 14:46     ` Jian-Hong Pan
2018-08-23 17:15 ` [RFC 3/3 net] lorawan: List LORAWAN in menuconfig Jian-Hong Pan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAC=mGziyi1ierhg++SUcHMrq1JQ0vH4gZCKUZgchzb8aD1Rv5Q@mail.gmail.com' \
    --to=starnight@g.ncu.edu.tw \
    --cc=afaerber@suse.de \
    --cc=davem@davemloft.net \
    --cc=dollar.chen@wtmec.com \
    --cc=gnomes@lxorguk.ukuu.org.uk \
    --cc=ken.yu@rakwireless.com \
    --cc=linux-arm-kernel@lists.infradead.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-wpan@vger.kernel.org \
    --cc=marcel@holtmann.org \
    --cc=netdev@vger.kernel.org \
    --cc=stefan@datenfreihafen.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-WPAN Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-wpan/0 linux-wpan/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-wpan linux-wpan/ https://lore.kernel.org/linux-wpan \
		linux-wpan@vger.kernel.org
	public-inbox-index linux-wpan

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-wpan


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git