New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nrf802154: Validate frame length before dst filter #11191
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My opinion is that any incoming data should be checked for its length ;-). However, I'm not sure that your solution guarantees that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just some suggestions.
But I have a more basic question: Could this filtering go into /drivers/netdev_ieee802154
?
return false; | ||
} | ||
size_t expected_len = ieee802154_get_frame_hdr_len(&rxbuf[1]); | ||
if (!expected_len) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could go into the last return.
Also, I'd prefer comparison with zero since its not a bool, but its fine to me if you like writing it this way.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed, I agree with your suggestion to compare with zero to increase readability. I'll also try to make the set of checks a bit more readable with some comments :)
I think so, I have to check if I can simply extend the functions or have to change the API slightly. |
I discussed this with Martine before, and she mentioned, that rxbuf[0] or anything similar might not be available for other drivers. I think this could be investigated and the decision should be based on that. Anyway, just tested sending, obviously still works. I did not try to break it, because i had no idea how to easily send an invalid frame. |
@bergzand small reminder |
Hey, @bergzand do you still work on this PR? |
Hey @SemjonKerner, sorry for the delays. I don't really have time to work on this at the moment but I haven't forgotten about this PR. |
@SemjonKerner Thanks for the patience here. I've refactored this PR a bit to a generic data frame validation function called by the nrf802514 radio code. Let me know what you think. |
Oh, can you pls rebase. Throws some gcc changes that are fixed in master. |
e216a1f
to
8e8b011
Compare
Rebased! |
LGTM, but i can't test it today. I'd like to run it once, before merging. I guess it's alright for you to wait a few more days.? |
So, uhm.. I was just checking out this PR and started a udp server on my nrf52840dk. But I cannot receive packets from samr21-xpro to nrf52840dk. Sending from nrf52840dk to samr21-xpro works. So reception is somehow broken now. EDIT: On master everything is fine. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please make sure the return values of the filter function are correct.
(frame_len > expected_len) && | ||
((*mhr & IEEE802154_FCF_TYPE_MASK) == IEEE802154_FCF_TYPE_DATA) && | ||
(netdev_ieee802154_dst_filter(dev, mhr) == 0)) { | ||
return 0; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, I think you mixed up the return values.
const uint8_t *mhr, size_t frame_len) | ||
{ | ||
if (frame_len < IEEE802154_FCF_LEN) { | ||
return 1; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this be zero?
ae120c5#diff-864e98442504008c9fad4791703b0e35R144
ping @bergzand! :) |
Ping, also #16576 is touching this. |
This PR can likely be closed with the same argumentation as in #11150. |
@benpicco this one can be closed as well. |
Contribution description
This PR adds a length check to the received frame. This prevents the destination filter check in the driver from reading beyond the received frame length. This increases the time spent in the receive part of the interrupt by 0.875µs (from 6.75µs to 7.625µs).
Also requesting a review from @miri64 and @haukepetersen as they probably also have an opinion on the additional check here.
Testing procedure
Basic receive validation should be enough.
Before this PR it should have been possible to trigger a netif receive operation on an incorrect frame after a valid frame was received.
Issues/PRs references
None