Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/sys/netbt two issues noted by maxv@



details:   https://anonhg.NetBSD.org/src/rev/2cbb84615d9f
branches:  trunk
changeset: 993370:2cbb84615d9f
user:      plunky <plunky%NetBSD.org@localhost>
date:      Fri Sep 07 14:47:15 2018 +0000

description:
two issues noted by maxv@

1. If an adaptor sends repeated fragments indicating HCI_PACKET_START,
   we would leak mbufs. Fix that by releasing the previous in that case.

2. If an adaptor sends fragments which overflow the expected total
   payload length, it could build up the pending packet to use up system
   mbufs. Fix that by changing the unsigned calculation to a comparison
   and rejecting oversize packets

diffstat:

 sys/netbt/hci_link.c |  29 +++++++++++++++++++----------
 1 files changed, 19 insertions(+), 10 deletions(-)

diffs (67 lines):

diff -r 5d0dd0fbda7d -r 2cbb84615d9f sys/netbt/hci_link.c
--- a/sys/netbt/hci_link.c      Fri Sep 07 13:24:14 2018 +0000
+++ b/sys/netbt/hci_link.c      Fri Sep 07 14:47:15 2018 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: hci_link.c,v 1.24 2014/05/20 18:25:54 rmind Exp $      */
+/*     $NetBSD: hci_link.c,v 1.25 2018/09/07 14:47:15 plunky Exp $     */
 
 /*-
  * Copyright (c) 2005 Iain Hibbert.
@@ -31,7 +31,7 @@
  */
 
 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: hci_link.c,v 1.24 2014/05/20 18:25:54 rmind Exp $");
+__KERNEL_RCSID(0, "$NetBSD: hci_link.c,v 1.25 2018/09/07 14:47:15 plunky Exp $");
 
 #include <sys/param.h>
 #include <sys/kernel.h>
@@ -475,12 +475,15 @@
 
        switch (pb) {
        case HCI_PACKET_START:
-               if (link->hl_rxp != NULL)
+               if (m->m_pkthdr.len < sizeof(l2cap_hdr_t))
+                       goto bad;
+
+               if (link->hl_rxp != NULL) {
                        aprint_error_dev(unit->hci_dev,
                            "dropped incomplete ACL packet\n");
 
-               if (m->m_pkthdr.len < sizeof(l2cap_hdr_t))
-                       goto bad;
+                       m_freem(link->hl_rxp);
+               }
 
                link->hl_rxp = m;
                got = m->m_pkthdr.len;
@@ -508,18 +511,24 @@
        }
 
        m_copydata(m, 0, sizeof(want), &want);
-       want = le16toh(want) + sizeof(l2cap_hdr_t) - got;
+       want = le16toh(want);
+       got -= sizeof(l2cap_hdr_t);
 
-       if (want > 0)
+       if (got < want)         /* wait for more */
                return;
 
        link->hl_rxp = NULL;
 
-       if (want == 0) {
-               l2cap_recv_frame(m, link);
-               return;
+       if (got > want) {
+               DPRINTF("%s: packet overflow\n",
+                       device_xname(unit->hci_dev));
+
+               goto bad;
        }
 
+       l2cap_recv_frame(m, link);
+       return;
+
 bad:
        m_freem(m);
 }



Home | Main Index | Thread Index | Old Index