Avoid beyond bounds copy while caching ACL
[zen-stable.git] / net / bluetooth / bnep / core.c
bloba779ec703323ce7293522e3cdb7af1d41b3c58a2
1 /*
2 BNEP implementation for Linux Bluetooth stack (BlueZ).
3 Copyright (C) 2001-2002 Inventel Systemes
4 Written 2001-2002 by
5 Clément Moreau <clement.moreau@inventel.fr>
6 David Libault <david.libault@inventel.fr>
8 Copyright (C) 2002 Maxim Krasnyansky <maxk@qualcomm.com>
10 This program is free software; you can redistribute it and/or modify
11 it under the terms of the GNU General Public License version 2 as
12 published by the Free Software Foundation;
14 THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
15 OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
16 FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS.
17 IN NO EVENT SHALL THE COPYRIGHT HOLDER(S) AND AUTHOR(S) BE LIABLE FOR ANY
18 CLAIM, OR ANY SPECIAL INDIRECT OR CONSEQUENTIAL DAMAGES, OR ANY DAMAGES
19 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
20 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
21 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23 ALL LIABILITY, INCLUDING LIABILITY FOR INFRINGEMENT OF ANY PATENTS,
24 COPYRIGHTS, TRADEMARKS OR OTHER RIGHTS, RELATING TO USE OF THIS
25 SOFTWARE IS DISCLAIMED.
28 #include <linux/module.h>
30 #include <linux/kernel.h>
31 #include <linux/sched.h>
32 #include <linux/signal.h>
33 #include <linux/init.h>
34 #include <linux/wait.h>
35 #include <linux/freezer.h>
36 #include <linux/errno.h>
37 #include <linux/net.h>
38 #include <linux/slab.h>
39 #include <linux/kthread.h>
40 #include <net/sock.h>
42 #include <linux/socket.h>
43 #include <linux/file.h>
45 #include <linux/netdevice.h>
46 #include <linux/etherdevice.h>
47 #include <linux/skbuff.h>
49 #include <asm/unaligned.h>
51 #include <net/bluetooth/bluetooth.h>
52 #include <net/bluetooth/hci_core.h>
53 #include <net/bluetooth/l2cap.h>
55 #include "bnep.h"
57 #define VERSION "1.3"
59 static bool compress_src = true;
60 static bool compress_dst = true;
62 static LIST_HEAD(bnep_session_list);
63 static DECLARE_RWSEM(bnep_session_sem);
65 static struct bnep_session *__bnep_get_session(u8 *dst)
67 struct bnep_session *s;
69 BT_DBG("");
71 list_for_each_entry(s, &bnep_session_list, list)
72 if (!compare_ether_addr(dst, s->eh.h_source))
73 return s;
75 return NULL;
78 static void __bnep_link_session(struct bnep_session *s)
80 list_add(&s->list, &bnep_session_list);
83 static void __bnep_unlink_session(struct bnep_session *s)
85 list_del(&s->list);
88 static int bnep_send(struct bnep_session *s, void *data, size_t len)
90 struct socket *sock = s->sock;
91 struct kvec iv = { data, len };
93 return kernel_sendmsg(sock, &s->msg, &iv, 1, len);
96 static int bnep_send_rsp(struct bnep_session *s, u8 ctrl, u16 resp)
98 struct bnep_control_rsp rsp;
99 rsp.type = BNEP_CONTROL;
100 rsp.ctrl = ctrl;
101 rsp.resp = htons(resp);
102 return bnep_send(s, &rsp, sizeof(rsp));
105 #ifdef CONFIG_BT_BNEP_PROTO_FILTER
106 static inline void bnep_set_default_proto_filter(struct bnep_session *s)
108 /* (IPv4, ARP) */
109 s->proto_filter[0].start = ETH_P_IP;
110 s->proto_filter[0].end = ETH_P_ARP;
111 /* (RARP, AppleTalk) */
112 s->proto_filter[1].start = ETH_P_RARP;
113 s->proto_filter[1].end = ETH_P_AARP;
114 /* (IPX, IPv6) */
115 s->proto_filter[2].start = ETH_P_IPX;
116 s->proto_filter[2].end = ETH_P_IPV6;
118 #endif
120 static int bnep_ctrl_set_netfilter(struct bnep_session *s, __be16 *data, int len)
122 int n;
124 if (len < 2)
125 return -EILSEQ;
127 n = get_unaligned_be16(data);
128 data++;
129 len -= 2;
131 if (len < n)
132 return -EILSEQ;
134 BT_DBG("filter len %d", n);
136 #ifdef CONFIG_BT_BNEP_PROTO_FILTER
137 n /= 4;
138 if (n <= BNEP_MAX_PROTO_FILTERS) {
139 struct bnep_proto_filter *f = s->proto_filter;
140 int i;
142 for (i = 0; i < n; i++) {
143 f[i].start = get_unaligned_be16(data++);
144 f[i].end = get_unaligned_be16(data++);
146 BT_DBG("proto filter start %d end %d",
147 f[i].start, f[i].end);
150 if (i < BNEP_MAX_PROTO_FILTERS)
151 memset(f + i, 0, sizeof(*f));
153 if (n == 0)
154 bnep_set_default_proto_filter(s);
156 bnep_send_rsp(s, BNEP_FILTER_NET_TYPE_RSP, BNEP_SUCCESS);
157 } else {
158 bnep_send_rsp(s, BNEP_FILTER_NET_TYPE_RSP, BNEP_FILTER_LIMIT_REACHED);
160 #else
161 bnep_send_rsp(s, BNEP_FILTER_NET_TYPE_RSP, BNEP_FILTER_UNSUPPORTED_REQ);
162 #endif
163 return 0;
166 static int bnep_ctrl_set_mcfilter(struct bnep_session *s, u8 *data, int len)
168 int n;
170 if (len < 2)
171 return -EILSEQ;
173 n = get_unaligned_be16(data);
174 data += 2;
175 len -= 2;
177 if (len < n)
178 return -EILSEQ;
180 BT_DBG("filter len %d", n);
182 #ifdef CONFIG_BT_BNEP_MC_FILTER
183 n /= (ETH_ALEN * 2);
185 if (n > 0) {
186 int i;
188 s->mc_filter = 0;
190 /* Always send broadcast */
191 set_bit(bnep_mc_hash(s->dev->broadcast), (ulong *) &s->mc_filter);
193 /* Add address ranges to the multicast hash */
194 for (; n > 0; n--) {
195 u8 a1[6], *a2;
197 memcpy(a1, data, ETH_ALEN);
198 data += ETH_ALEN;
199 a2 = data;
200 data += ETH_ALEN;
202 BT_DBG("mc filter %s -> %s",
203 batostr((void *) a1), batostr((void *) a2));
205 /* Iterate from a1 to a2 */
206 set_bit(bnep_mc_hash(a1), (ulong *) &s->mc_filter);
207 while (memcmp(a1, a2, 6) < 0 && s->mc_filter != ~0LL) {
208 /* Increment a1 */
209 i = 5;
210 while (i >= 0 && ++a1[i--] == 0)
213 set_bit(bnep_mc_hash(a1), (ulong *) &s->mc_filter);
218 BT_DBG("mc filter hash 0x%llx", s->mc_filter);
220 bnep_send_rsp(s, BNEP_FILTER_MULTI_ADDR_RSP, BNEP_SUCCESS);
221 #else
222 bnep_send_rsp(s, BNEP_FILTER_MULTI_ADDR_RSP, BNEP_FILTER_UNSUPPORTED_REQ);
223 #endif
224 return 0;
227 static int bnep_rx_control(struct bnep_session *s, void *data, int len)
229 u8 cmd = *(u8 *)data;
230 int err = 0;
232 data++;
233 len--;
235 switch (cmd) {
236 case BNEP_CMD_NOT_UNDERSTOOD:
237 case BNEP_SETUP_CONN_RSP:
238 case BNEP_FILTER_NET_TYPE_RSP:
239 case BNEP_FILTER_MULTI_ADDR_RSP:
240 /* Ignore these for now */
241 break;
243 case BNEP_FILTER_NET_TYPE_SET:
244 err = bnep_ctrl_set_netfilter(s, data, len);
245 break;
247 case BNEP_FILTER_MULTI_ADDR_SET:
248 err = bnep_ctrl_set_mcfilter(s, data, len);
249 break;
251 case BNEP_SETUP_CONN_REQ:
252 err = bnep_send_rsp(s, BNEP_SETUP_CONN_RSP, BNEP_CONN_NOT_ALLOWED);
253 break;
255 default: {
256 u8 pkt[3];
257 pkt[0] = BNEP_CONTROL;
258 pkt[1] = BNEP_CMD_NOT_UNDERSTOOD;
259 pkt[2] = cmd;
260 bnep_send(s, pkt, sizeof(pkt));
262 break;
265 return err;
268 static int bnep_rx_extension(struct bnep_session *s, struct sk_buff *skb)
270 struct bnep_ext_hdr *h;
271 int err = 0;
273 do {
274 h = (void *) skb->data;
275 if (!skb_pull(skb, sizeof(*h))) {
276 err = -EILSEQ;
277 break;
280 BT_DBG("type 0x%x len %d", h->type, h->len);
282 switch (h->type & BNEP_TYPE_MASK) {
283 case BNEP_EXT_CONTROL:
284 bnep_rx_control(s, skb->data, skb->len);
285 break;
287 default:
288 /* Unknown extension, skip it. */
289 break;
292 if (!skb_pull(skb, h->len)) {
293 err = -EILSEQ;
294 break;
296 } while (!err && (h->type & BNEP_EXT_HEADER));
298 return err;
301 static u8 __bnep_rx_hlen[] = {
302 ETH_HLEN, /* BNEP_GENERAL */
303 0, /* BNEP_CONTROL */
304 2, /* BNEP_COMPRESSED */
305 ETH_ALEN + 2, /* BNEP_COMPRESSED_SRC_ONLY */
306 ETH_ALEN + 2 /* BNEP_COMPRESSED_DST_ONLY */
309 static inline int bnep_rx_frame(struct bnep_session *s, struct sk_buff *skb)
311 struct net_device *dev = s->dev;
312 struct sk_buff *nskb;
313 u8 type;
315 dev->stats.rx_bytes += skb->len;
317 type = *(u8 *) skb->data;
318 skb_pull(skb, 1);
320 if ((type & BNEP_TYPE_MASK) >= sizeof(__bnep_rx_hlen))
321 goto badframe;
323 if ((type & BNEP_TYPE_MASK) == BNEP_CONTROL) {
324 bnep_rx_control(s, skb->data, skb->len);
325 kfree_skb(skb);
326 return 0;
329 skb_reset_mac_header(skb);
331 /* Verify and pull out header */
332 if (!skb_pull(skb, __bnep_rx_hlen[type & BNEP_TYPE_MASK]))
333 goto badframe;
335 s->eh.h_proto = get_unaligned((__be16 *) (skb->data - 2));
337 if (type & BNEP_EXT_HEADER) {
338 if (bnep_rx_extension(s, skb) < 0)
339 goto badframe;
342 /* Strip 802.1p header */
343 if (ntohs(s->eh.h_proto) == 0x8100) {
344 if (!skb_pull(skb, 4))
345 goto badframe;
346 s->eh.h_proto = get_unaligned((__be16 *) (skb->data - 2));
349 /* We have to alloc new skb and copy data here :(. Because original skb
350 * may not be modified and because of the alignment requirements. */
351 nskb = alloc_skb(2 + ETH_HLEN + skb->len, GFP_KERNEL);
352 if (!nskb) {
353 dev->stats.rx_dropped++;
354 kfree_skb(skb);
355 return -ENOMEM;
357 skb_reserve(nskb, 2);
359 /* Decompress header and construct ether frame */
360 switch (type & BNEP_TYPE_MASK) {
361 case BNEP_COMPRESSED:
362 memcpy(__skb_put(nskb, ETH_HLEN), &s->eh, ETH_HLEN);
363 break;
365 case BNEP_COMPRESSED_SRC_ONLY:
366 memcpy(__skb_put(nskb, ETH_ALEN), s->eh.h_dest, ETH_ALEN);
367 memcpy(__skb_put(nskb, ETH_ALEN), skb_mac_header(skb), ETH_ALEN);
368 put_unaligned(s->eh.h_proto, (__be16 *) __skb_put(nskb, 2));
369 break;
371 case BNEP_COMPRESSED_DST_ONLY:
372 memcpy(__skb_put(nskb, ETH_ALEN), skb_mac_header(skb),
373 ETH_ALEN);
374 memcpy(__skb_put(nskb, ETH_ALEN + 2), s->eh.h_source,
375 ETH_ALEN + 2);
376 break;
378 case BNEP_GENERAL:
379 memcpy(__skb_put(nskb, ETH_ALEN * 2), skb_mac_header(skb),
380 ETH_ALEN * 2);
381 put_unaligned(s->eh.h_proto, (__be16 *) __skb_put(nskb, 2));
382 break;
385 skb_copy_from_linear_data(skb, __skb_put(nskb, skb->len), skb->len);
386 kfree_skb(skb);
388 dev->stats.rx_packets++;
389 nskb->ip_summed = CHECKSUM_NONE;
390 nskb->protocol = eth_type_trans(nskb, dev);
391 netif_rx_ni(nskb);
392 return 0;
394 badframe:
395 dev->stats.rx_errors++;
396 kfree_skb(skb);
397 return 0;
400 static u8 __bnep_tx_types[] = {
401 BNEP_GENERAL,
402 BNEP_COMPRESSED_SRC_ONLY,
403 BNEP_COMPRESSED_DST_ONLY,
404 BNEP_COMPRESSED
407 static inline int bnep_tx_frame(struct bnep_session *s, struct sk_buff *skb)
409 struct ethhdr *eh = (void *) skb->data;
410 struct socket *sock = s->sock;
411 struct kvec iv[3];
412 int len = 0, il = 0;
413 u8 type = 0;
415 BT_DBG("skb %p dev %p type %d", skb, skb->dev, skb->pkt_type);
417 if (!skb->dev) {
418 /* Control frame sent by us */
419 goto send;
422 iv[il++] = (struct kvec) { &type, 1 };
423 len++;
425 if (compress_src && !compare_ether_addr(eh->h_dest, s->eh.h_source))
426 type |= 0x01;
428 if (compress_dst && !compare_ether_addr(eh->h_source, s->eh.h_dest))
429 type |= 0x02;
431 if (type)
432 skb_pull(skb, ETH_ALEN * 2);
434 type = __bnep_tx_types[type];
435 switch (type) {
436 case BNEP_COMPRESSED_SRC_ONLY:
437 iv[il++] = (struct kvec) { eh->h_source, ETH_ALEN };
438 len += ETH_ALEN;
439 break;
441 case BNEP_COMPRESSED_DST_ONLY:
442 iv[il++] = (struct kvec) { eh->h_dest, ETH_ALEN };
443 len += ETH_ALEN;
444 break;
447 send:
448 iv[il++] = (struct kvec) { skb->data, skb->len };
449 len += skb->len;
451 /* FIXME: linearize skb */
453 len = kernel_sendmsg(sock, &s->msg, iv, il, len);
455 kfree_skb(skb);
457 if (len > 0) {
458 s->dev->stats.tx_bytes += len;
459 s->dev->stats.tx_packets++;
460 return 0;
463 return len;
466 static int bnep_session(void *arg)
468 struct bnep_session *s = arg;
469 struct net_device *dev = s->dev;
470 struct sock *sk = s->sock->sk;
471 struct sk_buff *skb;
472 wait_queue_t wait;
474 BT_DBG("");
476 set_user_nice(current, -15);
478 init_waitqueue_entry(&wait, current);
479 add_wait_queue(sk_sleep(sk), &wait);
480 while (1) {
481 set_current_state(TASK_INTERRUPTIBLE);
483 if (atomic_read(&s->terminate))
484 break;
485 /* RX */
486 while ((skb = skb_dequeue(&sk->sk_receive_queue))) {
487 skb_orphan(skb);
488 if (!skb_linearize(skb))
489 bnep_rx_frame(s, skb);
490 else
491 kfree_skb(skb);
494 if (sk->sk_state != BT_CONNECTED)
495 break;
497 /* TX */
498 while ((skb = skb_dequeue(&sk->sk_write_queue)))
499 if (bnep_tx_frame(s, skb))
500 break;
501 netif_wake_queue(dev);
503 schedule();
505 __set_current_state(TASK_RUNNING);
506 remove_wait_queue(sk_sleep(sk), &wait);
508 /* Cleanup session */
509 down_write(&bnep_session_sem);
511 /* Delete network device */
512 unregister_netdev(dev);
514 /* Wakeup user-space polling for socket errors */
515 s->sock->sk->sk_err = EUNATCH;
517 wake_up_interruptible(sk_sleep(s->sock->sk));
519 /* Release the socket */
520 fput(s->sock->file);
522 __bnep_unlink_session(s);
524 up_write(&bnep_session_sem);
525 free_netdev(dev);
526 module_put_and_exit(0);
527 return 0;
530 static struct device *bnep_get_device(struct bnep_session *session)
532 bdaddr_t *src = &bt_sk(session->sock->sk)->src;
533 bdaddr_t *dst = &bt_sk(session->sock->sk)->dst;
534 struct hci_dev *hdev;
535 struct hci_conn *conn;
537 hdev = hci_get_route(dst, src);
538 if (!hdev)
539 return NULL;
541 conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
543 hci_dev_put(hdev);
545 return conn ? &conn->dev : NULL;
548 static struct device_type bnep_type = {
549 .name = "bluetooth",
552 int bnep_add_connection(struct bnep_connadd_req *req, struct socket *sock)
554 struct net_device *dev;
555 struct bnep_session *s, *ss;
556 u8 dst[ETH_ALEN], src[ETH_ALEN];
557 int err;
559 BT_DBG("");
561 baswap((void *) dst, &bt_sk(sock->sk)->dst);
562 baswap((void *) src, &bt_sk(sock->sk)->src);
564 /* session struct allocated as private part of net_device */
565 dev = alloc_netdev(sizeof(struct bnep_session),
566 (*req->device) ? req->device : "bnep%d",
567 bnep_net_setup);
568 if (!dev)
569 return -ENOMEM;
571 down_write(&bnep_session_sem);
573 ss = __bnep_get_session(dst);
574 if (ss && ss->state == BT_CONNECTED) {
575 err = -EEXIST;
576 goto failed;
579 s = netdev_priv(dev);
581 /* This is rx header therefore addresses are swapped.
582 * ie. eh.h_dest is our local address. */
583 memcpy(s->eh.h_dest, &src, ETH_ALEN);
584 memcpy(s->eh.h_source, &dst, ETH_ALEN);
585 memcpy(dev->dev_addr, s->eh.h_dest, ETH_ALEN);
587 s->dev = dev;
588 s->sock = sock;
589 s->role = req->role;
590 s->state = BT_CONNECTED;
592 s->msg.msg_flags = MSG_NOSIGNAL;
594 #ifdef CONFIG_BT_BNEP_MC_FILTER
595 /* Set default mc filter */
596 set_bit(bnep_mc_hash(dev->broadcast), (ulong *) &s->mc_filter);
597 #endif
599 #ifdef CONFIG_BT_BNEP_PROTO_FILTER
600 /* Set default protocol filter */
601 bnep_set_default_proto_filter(s);
602 #endif
604 SET_NETDEV_DEV(dev, bnep_get_device(s));
605 SET_NETDEV_DEVTYPE(dev, &bnep_type);
607 err = register_netdev(dev);
608 if (err)
609 goto failed;
611 __bnep_link_session(s);
613 __module_get(THIS_MODULE);
614 s->task = kthread_run(bnep_session, s, "kbnepd %s", dev->name);
615 if (IS_ERR(s->task)) {
616 /* Session thread start failed, gotta cleanup. */
617 module_put(THIS_MODULE);
618 unregister_netdev(dev);
619 __bnep_unlink_session(s);
620 err = PTR_ERR(s->task);
621 goto failed;
624 up_write(&bnep_session_sem);
625 strcpy(req->device, dev->name);
626 return 0;
628 failed:
629 up_write(&bnep_session_sem);
630 free_netdev(dev);
631 return err;
634 int bnep_del_connection(struct bnep_conndel_req *req)
636 struct bnep_session *s;
637 int err = 0;
639 BT_DBG("");
641 down_read(&bnep_session_sem);
643 s = __bnep_get_session(req->dst);
644 if (s) {
645 atomic_inc(&s->terminate);
646 wake_up_process(s->task);
647 } else
648 err = -ENOENT;
650 up_read(&bnep_session_sem);
651 return err;
654 static void __bnep_copy_ci(struct bnep_conninfo *ci, struct bnep_session *s)
656 memset(ci, 0, sizeof(*ci));
657 memcpy(ci->dst, s->eh.h_source, ETH_ALEN);
658 strcpy(ci->device, s->dev->name);
659 ci->flags = s->flags;
660 ci->state = s->state;
661 ci->role = s->role;
664 int bnep_get_connlist(struct bnep_connlist_req *req)
666 struct bnep_session *s;
667 int err = 0, n = 0;
669 down_read(&bnep_session_sem);
671 list_for_each_entry(s, &bnep_session_list, list) {
672 struct bnep_conninfo ci;
674 __bnep_copy_ci(&ci, s);
676 if (copy_to_user(req->ci, &ci, sizeof(ci))) {
677 err = -EFAULT;
678 break;
681 if (++n >= req->cnum)
682 break;
684 req->ci++;
686 req->cnum = n;
688 up_read(&bnep_session_sem);
689 return err;
692 int bnep_get_conninfo(struct bnep_conninfo *ci)
694 struct bnep_session *s;
695 int err = 0;
697 down_read(&bnep_session_sem);
699 s = __bnep_get_session(ci->dst);
700 if (s)
701 __bnep_copy_ci(ci, s);
702 else
703 err = -ENOENT;
705 up_read(&bnep_session_sem);
706 return err;
709 static int __init bnep_init(void)
711 char flt[50] = "";
713 #ifdef CONFIG_BT_BNEP_PROTO_FILTER
714 strcat(flt, "protocol ");
715 #endif
717 #ifdef CONFIG_BT_BNEP_MC_FILTER
718 strcat(flt, "multicast");
719 #endif
721 BT_INFO("BNEP (Ethernet Emulation) ver %s", VERSION);
722 if (flt[0])
723 BT_INFO("BNEP filters: %s", flt);
725 bnep_sock_init();
726 return 0;
729 static void __exit bnep_exit(void)
731 bnep_sock_cleanup();
734 module_init(bnep_init);
735 module_exit(bnep_exit);
737 module_param(compress_src, bool, 0644);
738 MODULE_PARM_DESC(compress_src, "Compress sources headers");
740 module_param(compress_dst, bool, 0644);
741 MODULE_PARM_DESC(compress_dst, "Compress destination headers");
743 MODULE_AUTHOR("Marcel Holtmann <marcel@holtmann.org>");
744 MODULE_DESCRIPTION("Bluetooth BNEP ver " VERSION);
745 MODULE_VERSION(VERSION);
746 MODULE_LICENSE("GPL");
747 MODULE_ALIAS("bt-proto-4");