Hi,
I'm new to this list. Please let me know if there is a more
appropriate place to report this.
It appears that extract_seq() in sdp.c (bluez-libs) can enter an
infinite loop if sdp_extract_seqtype() fails when extract_seq() has
called itself recursively. Here's how:
1 static sdp_data_t *extract_seq(const void *p, int *len,
sdp_record_t *rec)
2 {
3 int seqlen, n = 0;
4 sdp_data_t *curr, *prev;
5 sdp_data_t *d = (sdp_data_t *)malloc(sizeof(sdp_data_t));
6
7 SDPDBG("Extracting SEQ");
8 memset(d, 0, sizeof(sdp_data_t));
9 *len = sdp_extract_seqtype(p, &d->dtd, &seqlen);
10 SDPDBG("Sequence Type : 0x%x length : 0x%x\n", d->dtd, seqlen);
11
12 if (*len == 0)
13 return d;
14
15 p += *len;
16 curr = prev = NULL;
17 while (n < seqlen) {
18 int attrlen = 0;
19 curr = sdp_extract_attr(p, &attrlen, rec);
20 if (curr == NULL)
21 break;
22
23 if (prev)
24 prev->next = curr;
25 else
26 d->val.dataseq = curr;
27 prev = curr;
28 p += attrlen;
29 n += attrlen;
30
31 SDPDBG("Extracted: %d SequenceLength: %d", n, seqlen);
32 }
33
34 *len += n;
35 return d;
36 }
On line 9, sdp_extract_seqtype() will return zero if it does not
recognize the sequence type. When this happens, extract_seq() will
set the output argument len to zero and return a pointer on line 13.
Note that it will NOT return NULL. It returns the chunk allocated on
line 5.
Now, the while loop calls sdp_extract_attr() on line 19. This call
sets attrlen. The loop will not advance if attrlen remains zero.
sdp_extract_attr() function can in turn call extract_seq() again
recursively. When that happens here, the call to sdp_extract_attr()
is equivalent to calling extract_seq() directly.
The loop would break on line 21 if sdp_extract_attr() returned NULL.
But sdp_extract_attr() never returns NULL if it calls extract_seq(),
because extract_seq() never returns NULL.
Thus, if sdp_extract_attr() calls extract_seq(), and then the
sdp_extract_seqtype() call fails, then the loop will not break,
because sdp_extract_attr() will return non-NULL, and the loop will
not advance because attrlen will be zero.
Jason Watts
Embedded Software Engineer
Qwikker, Inc.
_______________________________________________
Bluez-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/bluez-devel
On Jun 20, 2006, at 12:37 AM, Pedro Monjo Florit wrote:
>>> All I know at this point is that /var/log/messages gets an endless
>>> flood of
>>>
>>> sdp_extract_seqtype: Unknown sequence type, aborting
>>>
>>> We don't know yet what triggers this. Of course I will follow up if
>>> it still turns out to be a problem in bluez.
>>
>> it is kinda likely that SDP still have endless loops in it. However
>> please make sure you use the latest bluez-libs from CVS and really =
>> run
>> the latest sdpd and/or sdptool.
>
>
> In a message I sent to the mailing-list back in February (Valentine's
> day), I explained what, IMHO, is the same problem. I have seen this
> infinite loop being triggered by a Samsung mobile phone, but still do
> not know which. I did not state it then, but syslog got flooded =
> with the
> same message that Jason reports.
Thanks, Pedro. This corroborates my findings and further isolates =
the fault.
I don't know which phone, either. This happened at a large venue, so =
it could have been anyone in range. However, I identified OUI and =
CoD of the most likely culprits from our logs. Samsung OUIs also =
showed up in our data.
Here are the candidates, from most likely to least:
OUI CoD Org. (from http://standards.ieee.org/regauth/ =
oui/oui.txt)
00:15:B9 0x7A0204 Samsung Electronics
00:12:47 0x7A0204 Samsung Electronics
00:12:56 0x520204 LG Information & Comm.
00:0E:6D 0x520204 Murata Manufacturing
I've added code to capture a call chain when this problem occurs. =
We'll deploy this change and hopefully nail down the problem.
=BF.) Jason Watts
Embedded Software Engineer
Qwikker, Inc.
_______________________________________________
Bluez-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/bluez-devel
Hi Jason and Marcel,
>>>> It appears that extract_seq() in sdp.c (bluez-libs) can enter an
>>>> infinite loop if sdp_extract_seqtype() fails when extract_seq() has
>>>> called itself recursively. Here's how:
>>> Do you have a patch for it or can you send a small reproducer program?
>> This may be a false alarm. When I looked closer, I could not explain
>> how the program could reach the state I described. The problem is
>> that sdp_extract_attr() only calls extract_seq() for aggregate
>> types. In fact, exactly those types that sdp_extract_seqtype()
>> expects. With that invariant, I don't see how the program could fall
>> into the loop I described, not without resorting to exotic explanations.
>>
>> All I know at this point is that /var/log/messages gets an endless
>> flood of
>>
>> sdp_extract_seqtype: Unknown sequence type, aborting
>>
>> We don't know yet what triggers this. Of course I will follow up if
>> it still turns out to be a problem in bluez.
>
> it is kinda likely that SDP still have endless loops in it. However
> please make sure you use the latest bluez-libs from CVS and really run
> the latest sdpd and/or sdptool.
In a message I sent to the mailing-list back in February (Valentine's
day), I explained what, IMHO, is the same problem. I have seen this
infinite loop being triggered by a Samsung mobile phone, but still do
not know which. I did not state it then, but syslog got flooded with the
same message that Jason reports.
I have tried to reproduce the problem with two Samsung's, with no luck.
All I could suggest is that, anybody monitoring the list with a Samsung
at hand, could fiddle with sdptool and see if the problem arises.
Cheers,
Pedro
_______________________________________________
Bluez-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/bluez-devel
Hi Jason,
> >> It appears that extract_seq() in sdp.c (bluez-libs) can enter an
> >> infinite loop if sdp_extract_seqtype() fails when extract_seq() has
> >> called itself recursively. Here's how:
> >
> > Do you have a patch for it or can you send a small reproducer program?
>
> This may be a false alarm. When I looked closer, I could not explain
> how the program could reach the state I described. The problem is
> that sdp_extract_attr() only calls extract_seq() for aggregate
> types. In fact, exactly those types that sdp_extract_seqtype()
> expects. With that invariant, I don't see how the program could fall
> into the loop I described, not without resorting to exotic explanations.
>
> All I know at this point is that /var/log/messages gets an endless
> flood of
>
> sdp_extract_seqtype: Unknown sequence type, aborting
>
> We don't know yet what triggers this. Of course I will follow up if
> it still turns out to be a problem in bluez.
it is kinda likely that SDP still have endless loops in it. However
please make sure you use the latest bluez-libs from CVS and really run
the latest sdpd and/or sdptool.
Regards
Marcel
_______________________________________________
Bluez-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/bluez-devel
>> It appears that extract_seq() in sdp.c (bluez-libs) can enter an
>> infinite loop if sdp_extract_seqtype() fails when extract_seq() has
>> called itself recursively. Here's how:
>
> Do you have a patch for it or can you send a small reproducer program?
This may be a false alarm. When I looked closer, I could not explain =
how the program could reach the state I described. The problem is =
that sdp_extract_attr() only calls extract_seq() for aggregate =
types. In fact, exactly those types that sdp_extract_seqtype() =
expects. With that invariant, I don't see how the program could fall =
into the loop I described, not without resorting to exotic explanations.
All I know at this point is that /var/log/messages gets an endless =
flood of
sdp_extract_seqtype: Unknown sequence type, aborting
We don't know yet what triggers this. Of course I will follow up if =
it still turns out to be a problem in bluez.
=BF.) Jason Watts
Embedded Software Engineer
Qwikker, Inc.
_______________________________________________
Bluez-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/bluez-devel
Hi Jason,
> I'm new to this list. Please let me know if there is a more
> appropriate place to report this.
this mailing list is the correct place to report such problems.
> It appears that extract_seq() in sdp.c (bluez-libs) can enter an
> infinite loop if sdp_extract_seqtype() fails when extract_seq() has
> called itself recursively. Here's how:
Do you have a patch for it or can you send a small reproducer program?
Regards
Marcel
_______________________________________________
Bluez-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/bluez-devel
On Jun 20, 2006, at 12:54 PM, Jason Watts wrote:
> On Jun 20, 2006, at 12:37 AM, Pedro Monjo Florit wrote:
>
>>>> All I know at this point is that /var/log/messages gets an endless
>>>> flood of
>>>>
>>>> sdp_extract_seqtype: Unknown sequence type, aborting
>>>>
>>
>>
>> In a message I sent to the mailing-list back in February (Valentine's
>> day), I explained what, IMHO, is the same problem. I have seen this
>> infinite loop being triggered by a Samsung mobile phone, but still do
>> not know which.
>
>
> I've added code to capture a call chain when this problem occurs.
> We'll deploy this change and hopefully nail down the problem.
We've traced this to a known problem that occurs in bluez libs 2.10,
but was fixed in 2.23 (in sdp.c 1.31). I was looking at the wrong
version of the source code before, so I couldn't find the faulty
logic. It had already been fixed by then!
Thanks for the fix. :-)
Jason Watts
Embedded Software Engineer
Qwikker, Inc.
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Bluez-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/bluez-devel