[IrDA]: Frame length validation.

When using a stir4200-based USB adaptor to talk to a device that uses an mcp2150, the stir4200 sometimes drops an incoming frame causing the mcp2150 to try and retransmit the lost frame. In this combination, the next frame received from the mcp2150 is often invalid - either an empty i:rsp or an IrCOMM i:rsp with an invalid clen. These corner cases are now checked. Signed-off-by: Robie Basak <rb-oss-1@justgohome.co.uk> Signed-off-by: Samuel Ortiz <samuel@sortiz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Robie Basak <rb-oss-1@justgohome.co.uk> 2008-01-19 02:58:44 -0500
committer: David S. Miller <davem@davemloft.net> 2008-01-28 18:08:09 -0500
commit: 5d780cd6585d242d9592a479fe75a007fd75155d (patch)
tree: d0cb1ed0a2391e9a5efb746c37ff69fd6848f481 /net/irda
parent: 6d97b53e92af822890b87818c99820df47fc589b (diff)
2 files changed, 25 insertions, 0 deletions
diff --git a/net/irda/ircomm/ircomm_core.c b/net/irda/ircomm/ircomm_core.c
index 2d63fa8e1556..b825399fc160 100644
--- a/net/irda/ircomm/ircomm_core.c
+++ b/net/irda/ircomm/ircomm_core.c
@@ -363,6 +363,18 @@ void ircomm_process_data(struct ircomm_cb *self, struct sk_buff *skb)
        clen = skb->data[0];
        /*
+         * Input validation check: a stir4200/mcp2150 combinations sometimes
+         * results in frames with clen > remaining packet size. These are
+         * illegal; if we throw away just this frame then it seems to carry on
+         * fine
+         */
+        if (unlikely(skb->len < (clen + 1))) {
+                IRDA_DEBUG(2, "%s() throwing away illegal frame\n",
+                           __FUNCTION__ );
+                return;
+        }
+        /*
         * If there are any data hiding in the control channel, we must
         * deliver it first. The side effect is that the control channel
         * will be removed from the skb
diff --git a/net/irda/irlap_event.c b/net/irda/irlap_event.c
index 6d3aff862dc2..6af86eba7463 100644
--- a/net/irda/irlap_event.c
+++ b/net/irda/irlap_event.c
@@ -1199,6 +1199,19 @@ static int irlap_state_nrm_p(struct irlap_cb *self, IRLAP_EVENT event,
        switch (event) {
        case RECV_I_RSP: /* Optimize for the common case */
+                if (unlikely(skb->len <= LAP_ADDR_HEADER + LAP_CTRL_HEADER)) {
+                        /*
+                         * Input validation check: a stir4200/mcp2150
+                         * combination sometimes results in an empty i:rsp.
+                         * This makes no sense; we can just ignore the frame
+                         * and send an rr:cmd immediately. This happens before
+                         * changing nr or ns so triggers a retransmit
+                         */
+                        irlap_wait_min_turn_around(self, &self->qos_tx);
+                        irlap_send_rr_frame(self, CMD_FRAME);
+                        /* Keep state */
+                        break;
+                }
                /* FIXME: must check for remote_busy below */
 #ifdef CONFIG_IRDA_FAST_RR
                /*
author	Robie Basak <rb-oss-1@justgohome.co.uk>	2008-01-19 02:58:44 -0500
committer	David S. Miller <davem@davemloft.net>	2008-01-28 18:08:09 -0500
commit	5d780cd6585d242d9592a479fe75a007fd75155d (patch)
tree	d0cb1ed0a2391e9a5efb746c37ff69fd6848f481 /net/irda
parent	6d97b53e92af822890b87818c99820df47fc589b (diff)

diff --git a/net/irda/ircomm/ircomm_core.c b/net/irda/ircomm/ircomm_core.c index 2d63fa8e1556..b825399fc160 100644 --- a/net/irda/ircomm/ircomm_core.c +++ b/net/irda/ircomm/ircomm_core.c
@@ -363,6 +363,18 @@ void ircomm_process_data(struct ircomm_cb self, struct sk_buff skb)
363	clen = skb->data[0];	363	clen = skb->data[0];
364		364
365	/*	365	/*
		366	* Input validation check: a stir4200/mcp2150 combinations sometimes
		367	* results in frames with clen > remaining packet size. These are
		368	* illegal; if we throw away just this frame then it seems to carry on
		369	* fine
		370	*/
		371	if (unlikely(skb->len < (clen + 1))) {
		372	IRDA_DEBUG(2, "%s() throwing away illegal frame\n",
		373	__FUNCTION__ );
		374	return;
		375	}
		376
		377	/*
366	* If there are any data hiding in the control channel, we must	378	* If there are any data hiding in the control channel, we must
367	* deliver it first. The side effect is that the control channel	379	* deliver it first. The side effect is that the control channel
368	* will be removed from the skb	380	* will be removed from the skb


diff --git a/net/irda/irlap_event.c b/net/irda/irlap_event.c index 6d3aff862dc2..6af86eba7463 100644 --- a/net/irda/irlap_event.c +++ b/net/irda/irlap_event.c
@@ -1199,6 +1199,19 @@ static int irlap_state_nrm_p(struct irlap_cb *self, IRLAP_EVENT event,
1199		1199
1200	switch (event) {	1200	switch (event) {
1201	case RECV_I_RSP: /* Optimize for the common case */	1201	case RECV_I_RSP: /* Optimize for the common case */
		1202	if (unlikely(skb->len <= LAP_ADDR_HEADER + LAP_CTRL_HEADER)) {
		1203	/*
		1204	* Input validation check: a stir4200/mcp2150
		1205	* combination sometimes results in an empty i:rsp.
		1206	* This makes no sense; we can just ignore the frame
		1207	* and send an rr:cmd immediately. This happens before
		1208	* changing nr or ns so triggers a retransmit
		1209	*/
		1210	irlap_wait_min_turn_around(self, &self->qos_tx);
		1211	irlap_send_rr_frame(self, CMD_FRAME);
		1212	/* Keep state */
		1213	break;
		1214	}
1202	/* FIXME: must check for remote_busy below */	1215	/* FIXME: must check for remote_busy below */
1203	#ifdef CONFIG_IRDA_FAST_RR	1216	#ifdef CONFIG_IRDA_FAST_RR
1204	/*	1217	/*