lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 9 Oct 2021 17:12:50 +0800
From:   Zhang Changzhong <zhangchangzhong@...wei.com>
To:     Kurt Van Dijck <dev.kurt@...dijck-laurijssen.be>
CC:     Oleksij Rempel <o.rempel@...gutronix.de>,
        Robin van der Gracht <robin@...tonic.nl>,
        Oleksij Rempel <linux@...pel-privat.de>,
        <kernel@...gutronix.de>, Oliver Hartkopp <socketcan@...tkopp.net>,
        "Marc Kleine-Budde" <mkl@...gutronix.de>,
        "David S. Miller" <davem@...emloft.net>,
        Jakub Kicinski <kuba@...nel.org>,
        Maxime Jayat <maxime.jayat@...ile-devices.fr>,
        <linux-can@...r.kernel.org>, <netdev@...r.kernel.org>,
        <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH net] can: j1939: j1939_xtp_rx_dat_one(): cancel session if
 receive TP.DT with error length

On 2021/10/9 1:09, Kurt Van Dijck wrote:
> On Fri, 08 Oct 2021 13:00:07 +0200, Oleksij Rempel wrote:
>> On Fri, Oct 08, 2021 at 05:22:12PM +0800, Zhang Changzhong wrote:
>>> Hi Kurt,
>>> Sorry for the late reply.
>>>
>>> On 2021/9/30 15:42, Kurt Van Dijck wrote:
>>>> On Thu, 30 Sep 2021 11:33:20 +0800, Zhang Changzhong wrote:
>>>>> According to SAE-J1939-21, the data length of TP.DT must be 8 bytes, so
>>>>> cancel session when receive unexpected TP.DT message.
>>>>
>>>> SAE-j1939-21 indeed says that all TP.DT must be 8 bytes.
>>>> However, the last TP.DT may contain up to 6 stuff bytes, which have no meaning.
>>>> If I remember well, they are even not 'reserved'.
>>>
>>> Agree, these bytes are meaningless for last TP.DT.
>>>
>>>>
>>>>>
>>>>> Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
>>>>> Signed-off-by: Zhang Changzhong <zhangchangzhong@...wei.com>
>>>>> ---
>>>>>  net/can/j1939/transport.c | 7 +++++--
>>>>>  1 file changed, 5 insertions(+), 2 deletions(-)
>>>>>
>>>>> diff --git a/net/can/j1939/transport.c b/net/can/j1939/transport.c
>>>>> index bb5c4b8..eedaeaf 100644
>>>>> --- a/net/can/j1939/transport.c
>>>>> +++ b/net/can/j1939/transport.c
>>>>> @@ -1789,6 +1789,7 @@ static void j1939_xtp_rx_dpo(struct j1939_priv *priv, struct sk_buff *skb,
>>>>>  static void j1939_xtp_rx_dat_one(struct j1939_session *session,
>>>>>  				 struct sk_buff *skb)
>>>>>  {
>>>>> +	enum j1939_xtp_abort abort = J1939_XTP_ABORT_FAULT;
>>>>>  	struct j1939_priv *priv = session->priv;
>>>>>  	struct j1939_sk_buff_cb *skcb, *se_skcb;
>>>>>  	struct sk_buff *se_skb = NULL;
>>>>> @@ -1803,9 +1804,11 @@ static void j1939_xtp_rx_dat_one(struct j1939_session *session,
>>>>>  
>>>>>  	skcb = j1939_skb_to_cb(skb);
>>>>>  	dat = skb->data;
>>>>> -	if (skb->len <= 1)
>>>>> +	if (skb->len != 8) {
>>>>>  		/* makes no sense */
>>>>> +		abort = J1939_XTP_ABORT_UNEXPECTED_DATA;
>>>>>  		goto out_session_cancel;
>>>>
>>>> I think this is a situation of
>>>> "be strict on what you send, be tolerant on what you receive".
>>>>
>>>> Did you find a technical reason to abort a session because the last frame didn't
>>>> bring overhead that you don't use?
>>>
>>> No technical reason. The only reason is that SAE-J1939-82 requires responder
>>> to abort session if any TP.DT less than 8 bytes (section A.3.4, Row 7).
> 
> IMHO, this is some kind of laziness to make the exception for the last TP.DT.
> 
> I attended an ISOBUS certification (back in 2013) where the transmitting
> node effectively stripped the trailing bytes, and this 'deviation' was
> not even noticed.

I found that SAE-J1939-82 contains the following test:
"BAM Transport: Ensure extra (unused) bytes of last Data Transfer data packet
is/are filled-in correctly. (DUT as Originator)" ... "Verify last TP.DT data
packet for a BAM transport is sent with an 8 byte data field and the unused
bytes of this packet are filled with FF" (section A.3.3, Row 8).

So the J1939 compliance test can detect this kind of 'deviation', perhaps
ISOBUS certification does not do this check?

> 
> This change applies to the receiving side. Would a sender that
> leaves the trailing bytes want you to discard the session bacause of this?
> So the spirit of the SAE-J1939-82 is, in this case, different from
> the strict literal interpretation.

Such packets should not be sent if the sender complies with SAE-J1939-82, but
if the transmitting node you mentioned above exist on the network, this patch
will casue their sessions to be aborted. From this point of view, I think it is
reasonable to drop this patch.

Regards,
Changzhong

> 
>>
>> Do you mean: "BAM Transport: Ensure DUT discards BAM transport when
>> TP.DT data packets are not correct size" ... "Verify DUT discards the
>> BAM transport if any TP.DT data packet has less than 8 bytes"?
> 
> Kind regards,
> Kurt
> .
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ