Received: by 2002:ab2:60d1:0:b0:1f7:5705:b850 with SMTP id i17csp769764lqm; Wed, 1 May 2024 15:36:58 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWFt/Ar218KIMo0/7Wlnz+qwmvb5GfXep3TSlrgwAxR8ZK2Sm+djhukTAflg3JDz7uvWART73Gm8jmGEgVRyVmB23lhfaZyhoB3BgcyLg== X-Google-Smtp-Source: AGHT+IF+4BfcmKHZB2yCu8HMMxNiFaa8vD19veMpU1YsFvSqgJwTe24VhC3VpPskqNReB0H7VVL+ X-Received: by 2002:a05:6a20:3244:b0:1ae:381d:4200 with SMTP id hm4-20020a056a20324400b001ae381d4200mr3745044pzc.35.1714603018253; Wed, 01 May 2024 15:36:58 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714603018; cv=pass; d=google.com; s=arc-20160816; b=TaaT+0G0gXH8+wAh3Br8Q9SzLLvCPXAKMV1o7xxxhSygQXeED/C59rWNGmcXRoHUSV U3h1prIurGp/th+iSPUjkmAFMZ6Fg1+MY/C8cqIsI5xUmVO0YEbWhB2CVbqO/cDpoWEx HeI7wL7qNHMhLYg0YY3bqS07WMBCEGcvwzPNzHD819fE1+QiVKBXosvNx6IRWhwl8E3z LYC6ggwwFKo5gk5pTPD+Xo0zloV5ja7WC2EHHtVeay/j5Fr9VPYGtpfWgx5UYfxCCYon 5aFqnw3Sw4fdWZ8N6oD0kxoSHW0S3RHeOCMCYmdoQXjr1IQ4KMa0bYV+VfPGyGnz8Jxs Yb2w== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=DuaLRdO6Js2gxidW/S+ZrLyYPpQmg/450rRpegKnffI=; fh=AgdCLToWupyBJQc3k8cEVcJ0oZPTbh5BYaKWxD8orfE=; b=VzVJS/Re2Wh4Z82p/yFjuCgmW5zfevM/bJr40ovEg+JT9X8F0I3QY+tUMx1g206cV1 b9BbTtMwA9Z1f3dYXXuYQJCt6CSdQr0Su/QPvtSz3ARYgQRPgC6WwYmq3J2KdTLeb586 8Q9InbZ3y+CVCLrzbraK8cQJkbQsTozw5w58H9l3r4Ji0NVz9I6KrlpY+a/n3XJpEmyD S0ywS/1fGAE3y9ZVACQRkGva9pkSYgp3bdVp8yuphy7Jvk+SCvHi2h7/S5RYEIc3KMpT ATla1qhovQx+b8jbKCIEmkWR+Tt3U/BEFknd4b/qVgLXR0xveJPmFHiOSL4ILZAnT+/+ kvxQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=WgGWzdiU; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-bluetooth+bounces-4247-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-4247-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [147.75.48.161]) by mx.google.com with ESMTPS id n34-20020a635c62000000b005f7599d0b80si24057940pgm.119.2024.05.01.15.36.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 May 2024 15:36:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-bluetooth+bounces-4247-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) client-ip=147.75.48.161; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=WgGWzdiU; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-bluetooth+bounces-4247-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.48.161 as permitted sender) smtp.mailfrom="linux-bluetooth+bounces-4247-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 36D72B229F6 for ; Wed, 1 May 2024 22:36:52 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id D1B781304A1; Wed, 1 May 2024 22:36:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="WgGWzdiU" X-Original-To: linux-bluetooth@vger.kernel.org Received: from mail-lj1-f172.google.com (mail-lj1-f172.google.com [209.85.208.172]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AD2CE1E481; Wed, 1 May 2024 22:36:41 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.172 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714603003; cv=none; b=qk/UNzOaxgTJ/w2Cv+gSA6irFtFgUQxJjImBpQ/MxVGhTfLuSFIaSxFCBcnSuSAXZeEY1t5lO0lCY5CbDjCc7L+YDVjEHsroWSh4OoGnv6alRnbv0K021UN4ui2XzuuxEusDw81FyibmivENzwDaQJBq6swLXZsFNJV1acc61D4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714603003; c=relaxed/simple; bh=YV/YYgGA9K7WCW33ZoIL8lsNGMgwRz4GdkdRG3dcyvM=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=o7LqjVqXj4VrLJa3Cn6hqo0uE1k96M+ooO4ksVBmBbg6Ytz8Cys292Z0m7IamdagMSDuS+t5AV+qpUZPBXioc+k9iL9sc/o1ChUyxzuNkzgJGuotv5cqZSwcrv4WtR8kR58JvmdF1F2DqR3I5WrvCOb4j0xdrRfNUYzGckoirZY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=WgGWzdiU; arc=none smtp.client-ip=209.85.208.172 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-lj1-f172.google.com with SMTP id 38308e7fff4ca-2db7c6b5598so95151921fa.1; Wed, 01 May 2024 15:36:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1714603000; x=1715207800; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=DuaLRdO6Js2gxidW/S+ZrLyYPpQmg/450rRpegKnffI=; b=WgGWzdiUgmd9tsFVfTbWFZISx3VgNUj6+ED0vXDXdnTVCSFFTexWITdCz9tzQTRR6Q 4hgXmKr6QOo0wl9BQhOvJNKJlCpy+G7TYzhMgwpN7o5RgThpz04PQ+m7yPP6X4Wr8P1k lHcTpEY6g+7RbXxCTV+1hxtyWR3I4DJ1/hhAav9vN8DuS+x513l8B8lRNUmVMY86T2+0 x//hdvKjc+n9+J05IqRRS471kdPhGyCrhuOjpUSVPOpkaJTXslt9P8jLZqw4hOu7dPwx qlDb6WZdXPp2SQJ8VMFsGOgMys/kSRIS/IY9TKYCGT6Ikv9bvA/3VZrQ8ybSCalmYT9M sDAA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714603000; x=1715207800; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DuaLRdO6Js2gxidW/S+ZrLyYPpQmg/450rRpegKnffI=; b=ERHNGpAs4i+ZygwFjMPHu12z8BVFb6nkir85EPYrLTHttWOwC3qnrVl/cFH4LpkXKf SYeuwpFkMpFzitKNFQQQEuyHcQ/eYCIfg691Zcp89C33bVsDcd5Lqa6PUXIwzWTBxycU ZJbwqs/i/ydH2udcQMKiFAgd8rd3e+wSvNRPwWb9yT3xoXstopjx5KqTIPIVwpE9syrs 44Ig8GzJDBYcrCuSzumreAnz0G4tGvDW/J6+EE8v9hs1Y2IBx2SN89mux2G/GqdAwQ0/ sK3i7UeWqcuyeRZF+lW1kyOUYGU4kSg/Ry6vN6+N9AQ/ZEHxc1GqU1FfWLQ3xK1jgQhv tylA== X-Forwarded-Encrypted: i=1; AJvYcCVk8vw+R/qrKGXmqTmui6ZC5JJaQjjedPEhik8eQv9B9rj+ktQh7Lr/w++7SioQkVYIuATm7iLU774ZwMSn0zt2yDFoMF30lLVp0T74RnBGuL4fzaodyRl7+4zXte9yjlTohvvKlFa/TzDIC76L X-Gm-Message-State: AOJu0YxRNYAkdMWRYhOG00A2D/UNnXKQQisPwntzVR7lp3/vEm3/VnEa jdtWaYQPKZmyLdMXuX+a2plqKPU0aI3YeYaM4qnRKANrFrx5gVVNt4p8/h+nzoMOtSyi3QD9zw7 UaeEbUBsuLqB6PyU1f3kGpwrGljE= X-Received: by 2002:a05:651c:212a:b0:2e1:ce2b:a55f with SMTP id a42-20020a05651c212a00b002e1ce2ba55fmr229192ljq.53.1714602999525; Wed, 01 May 2024 15:36:39 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-bluetooth@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240428054307.1178347-1-iam@sung-woo.kim> In-Reply-To: From: Luiz Augusto von Dentz Date: Wed, 1 May 2024 18:36:26 -0400 Message-ID: Subject: Re: [PATCH] Bluetooth: L2CAP: Fix div-by-zero in l2cap_le_flowctl_init() To: Sungwoo Kim Cc: daveti@purdue.edu, Marcel Holtmann , Johan Hedberg , linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi Sungwoo, On Wed, May 1, 2024 at 6:23=E2=80=AFPM Sungwoo Kim wrote= : > > Dear Luiz, > > On Mon, Apr 29, 2024 at 11:15=E2=80=AFAM Luiz Augusto von Dentz > wrote: > > > > Hi Sungwoo, > > > > On Sun, Apr 28, 2024 at 1:43=E2=80=AFAM Sungwoo Kim = wrote: > > > > > > Hello, could you review this bug and its patch? > > > > > > l2cap_le_flowctl_init() can cause both div-by-zero and an integer ove= rflow. > > > > > > l2cap_le_flowctl_init() > > > chan->mps =3D min_t(u16, chan->imtu, chan->conn->mtu - L2CAP_HDR_SI= ZE); > > > chan->rx_credits =3D (chan->imtu / chan->mps) + 1; <- div-by-zero > > > > > > Here, mtu could be less than or equal to L2CAP_HDR_SIZE (4). If mtu i= s 4, it > > > causes div-by-zero. If mtu is less than 4, it causes an integer overf= low. > > > > That is because it is not valid to have hdev->le_mtu < 0x001b (the > > range is 0x001b to 0xffff), so we should really look into checking > > that conn->mtu is actually valid. > > > > > How mtu could have such low value: > > > > > > hci_cc_le_read_buffer_size() > > > hdev->le_mtu =3D __le16_to_cpu(rp->le_mtu); > > > > > > l2cap_conn_add() > > > conn->mtu =3D hcon->hdev->le_mtu; > > > > Yeah this assignment is incorrect and in fact we don't do that if > > le_mtu is zero so we probably should do some checks e.g. le_mtu > > > 0x001a, or perhaps we need to move the MTU directly to hci_conn so it > > can check there are enough buffers to serve the link so we stop the > > connection procedure earlier. > > Let's say we moved MTU directly to hci_conn and already checked enough > buffers at the creation of hcon. > Then, what should happen if hdev->le_mtu is updated? (by a new > le_read_buffer_size cmd) > Should hcon->mtu be synced with hdev->le_mtu? Or hcon->mtu can keep > its old value? What now, why would we read it again? These commands are only suppose to be send during init phase and if you do this sort of thing as an event without a command then it is also against the spec and we shall probably just ignore it if there is no command pending. > Best, > Sungwoo. --=20 Luiz Augusto von Dentz