Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix packetbuffer handling in UDPEndPointImplOpenThread. #18851

Merged
merged 1 commit into from
May 26, 2022
Merged

Fix packetbuffer handling in UDPEndPointImplOpenThread. #18851

merged 1 commit into from
May 26, 2022

Conversation

bzbarsky-apple
Copy link
Contributor

@bzbarsky-apple bzbarsky-apple commented May 26, 2022
edited
Loading

What the code was doing was:

  1. Allocate a buffer of size msgLen.
  2. Copy sizeof(IPPacketInfo) + msgLen bytes into it. This is a buffer overrun
    if the packetbuffer was not over-allocated.
  3. memmove the contents of the buffer over by sizeof(IPPacketInfo), point
    Start() at the location the data was moved to. This would fail if the buffer
    was not even more over-allocated.
  4. Read the memory from ((Start() - sizeof(IPPacketInfo) & ~3) (which might
    under-run the buffer depending on how its allocation is aligned in memory),
    and which anyway conceptually represents garbage data that the packetbuffer
    code is well withiin its rights to have overwritten and treat that memory as
    an IPPacketInfo.
  5. Advance Start() by sizeof(IPPacketInfo) to point to the actual data.

What the new code does is:

  1. Allocate a buffer with msgLen data space and enough reserved space that we
    can place an aligned IPPacketInfo in the reserved space.
  2. Copy the incoming data into the data space.
  3. Fill in an IPPacketInfo in the reserved space.
  4. Later read the IPPacketInfo from the reserved space.

Problem

See above.

In particular, if allocating packetbuffers in RAM, things would fail here in various ways.

Change overview

See above.

Testing

@doru91 was going to test this.

@boring-cyborg boring-cyborg bot added the inet label May 26, 2022
@bzbarsky-apple
Fix packetbuffer handling in UDPEndPointImplOpenThread.
cefeefd 
What the code was doing was:

1. Allocate a buffer of size msgLen.
2. Copy sizeof(IPPacketInfo) + msgLen bytes into it.  This is a buffer overrun
   if the packetbuffer was not over-allocated.
3. memmove the contents of the buffer over by sizeof(IPPacketInfo), point
   Start() at the location the data was moved to.  This would fail if the buffer
   was not even more over-allocated.
4. Read the memory from ((Start() - sizeof(IPPacketInfo) & ~3) (which might
   _under-run_ the buffer depending on how its allocation is aligned in memory),
   and which anyway conceptually represents garbage data that the packetbuffer
   code is well withiin its rights to have overwritten and treat that memory as
   an IPPacketInfo.
5. Advance Start() by sizeof(IPPacketInfo) to point to the actual data.

What the new code does is:

1. Allocate a buffer with msgLen data space and enough reserved space that we
   can place an aligned IPPacketInfo in the reserved space.
2. Copy the incoming data into the data space.
3. Fill in an IPPacketInfo in the reserved space.
4. Later read the IPPacketInfo from the reserved space.
@bzbarsky-apple bzbarsky-apple force-pushed the fix-openthread-endpoint-buffers branch from 867e0dd to cefeefd Compare May 26, 2022 16:47
@github-actions
Copy link

github-actions bot commented May 26, 2022
edited
Loading

PR #18851: Size comparison from eb7628f to cefeefd

Increases (3 builds for efr32)
platform target config section eb7628f cefeefd change % change
efr32 lighting-app BRD4161A (read only) 913896 913952 56 0.0
.text 913888 913944 56 0.0
BRD4161A+rpc (read only) 948068 948124 56 0.0
.text 948060 948116 56 0.0
window-app BRD4161A (read only) 898824 898880 56 0.0
.text 898816 898872 56 0.0
Full report (37 builds for cc13x2_26x2, cyw30739, efr32, esp32, k32w, linux, mbed, nrfconnect, p6, telink)
platform target config section eb7628f cefeefd change % change
cc13x2_26x2 all-clusters-app LP_CC2652R7 (read only) 644979 644979 0 0.0
(read/write) 159144 159144 0 0.0
.bss 74828 74828 0 0.0
.data 3400 3400 0 0.0
.rodata 83747 83747 0 0.0
.text 560996 560996 0 0.0
lock-ftd LP_CC2652R7 (read only) 679327 679327 0 0.0
(read/write) 163512 163512 0 0.0
.bss 72876 72876 0 0.0
.data 3236 3236 0 0.0
.rodata 96055 96055 0 0.0
.text 582788 582788 0 0.0
lock-mtd LP_CC2652R7 (read only) 628727 628727 0 0.0
(read/write) 145708 145708 0 0.0
.bss 68612 68612 0 0.0
.data 3236 3236 0 0.0
.rodata 95935 95935 0 0.0
.text 532300 532300 0 0.0
pump-app LP_CC2652R7 (read only) 675731 675731 0 0.0
(read/write) 168532 168532 0 0.0
.bss 73276 73276 0 0.0
.data 3272 3272 0 0.0
.rodata 88531 88531 0 0.0
.text 586716 586716 0 0.0
pump-controller-app LP_CC2652R7 (read only) 653659 653659 0 0.0
(read/write) 190204 190204 0 0.0
.bss 73132 73132 0 0.0
.data 3232 3232 0 0.0
.rodata 83275 83275 0 0.0
.text 569904 569904 0 0.0
shell LP_CC2652R7 (read only) 637986 637986 0 0.0
(read/write) 154708 154708 0 0.0
.bss 77188 77188 0 0.0
.data 3404 3404 0 0.0
.rodata 80722 80722 0 0.0
.text 557032 557032 0 0.0
cyw30739 light cyw930739m2evb_01 (read/write) 621510 621510 0 0.0
.app_xip_area 524788 524788 0 0.0
.bss 79364 79364 0 0.0
.data 704 704 0 0.0
.rodata 0 0 0 0.0
.text 0 0 0 0.0
lock cyw930739m2evb_01 (read/write) 630210 630210 0 0.0
.app_xip_area 534960 534960 0 0.0
.bss 77924 77924 0 0.0
.data 672 672 0 0.0
.rodata 0 0 0 0.0
.text 0 0 0 0.0
ota-requestor-no-progress-logging cyw930739m2evb_01 (read/write) 570622 570622 0 0.0
.app_xip_area 465692 465692 0 0.0
.bss 87308 87308 0 0.0
.data 584 584 0 0.0
.rodata 0 0 0 0.0
.text 112 112 0 0.0
efr32 lighting-app BRD4161A (read only) 913896 913952 56 0.0
(read/write) 133448 133448 0 0.0
.bss 131384 131384 0 0.0
.data 2064 2064 0 0.0
.text 913888 913944 56 0.0
BRD4161A+rpc (read only) 948068 948124 56 0.0
(read/write) 150140 150140 0 0.0
.bss 147872 147872 0 0.0
.data 2268 2268 0 0.0
.text 948060 948116 56 0.0
BRD4161A+rs911x (read only) 788508 788508 0 0.0
(read/write) 129716 129716 0 0.0
.bss 127644 127644 0 0.0
.data 2072 2072 0 0.0
.text 788500 788500 0 0.0
lock-app BRD4161A+wf200 (read only) 953896 953896 0 0.0
(read/write) 128484 128484 0 0.0
.bss 126444 126444 0 0.0
.data 2036 2036 0 0.0
.text 953888 953888 0 0.0
window-app BRD4161A (read only) 898824 898880 56 0.0
(read/write) 133512 133512 0 0.0
.bss 131448 131448 0 0.0
.data 2060 2060 0 0.0
.text 898816 898872 56 0.0
esp32 all-clusters-app c3devkit (read only) 1002224 1002224 0 0.0
(read/write) 1479314 1479314 0 0.0
.dram0.bss 69400 69400 0 0.0
.dram0.data 14640 14640 0 0.0
.flash.rodata 209840 209840 0 0.0
.flash.text 1002224 1002224 0 0.0
.iram0.text 62954 62954 0 0.0
m5stack (read only) 1057135 1057135 0 0.0
(read/write) 481288 481288 0 0.0
.dram0.bss 74912 74912 0 0.0
.dram0.data 34208 34208 0 0.0
.flash.rodata 240172 240172 0 0.0
.flash.text 1051751 1051751 0 0.0
.iram0.text 123267 123267 0 0.0
k32w light k32w061+release (read/write) 680744 680744 0 0.0
.bss 80424 80424 0 0.0
.data 2008 2008 0 0.0
.text 596608 596608 0 0.0
lock k32w061+release (read/write) 732084 732084 0 0.0
.bss 80856 80856 0 0.0
.data 1976 1976 0 0.0
.text 647548 647548 0 0.0
linux all-clusters-app debug (read only) 2751177 2751177 0 0.0
(read/write) 178240 178240 0 0.0
.bss 86496 86496 0 0.0
.data 2032 2032 0 0.0
.data.rel.ro 83560 83560 0 0.0
.dynamic 608 608 0 0.0
.got 4496 4496 0 0.0
.init 27 27 0 0.0
.init_array 1016 1016 0 0.0
.rodata 242013 242013 0 0.0
.text 2335570 2335570 0 0.0
bridge-app debug+rpc (read only) 2023745 2023745 0 0.0
(read/write) 147896 147896 0 0.0
.bss 73120 73120 0 0.0
.data 3936 3936 0 0.0
.data.rel.ro 65272 65272 0 0.0
.dynamic 592 592 0 0.0
.got 4272 4272 0 0.0
.init 27 27 0 0.0
.init_array 688 688 0 0.0
.rodata 168096 168096 0 0.0
.text 1699490 1699490 0 0.0
chip-tool debug (read only) 9633029 9633029 0 0.0
(read/write) 596016 596016 0 0.0
.bss 23936 23936 0 0.0
.data 1120 1120 0 0.0
.data.rel.ro 564656 564656 0 0.0
.dynamic 624 624 0 0.0
.got 5008 5008 0 0.0
.init 27 27 0 0.0
.init_array 648 648 0 0.0
.rodata 494141 494141 0 0.0
.text 7761269 7761269 0 0.0
chip-tool-no-interactive-ipv6only arm64 (read only) 9376100 9376100 0 0.0
(read/write) 662145 662145 0 0.0
.bss 42225 42225 0 0.0
.data 1176 1176 0 0.0
.data.rel.ro 599960 599960 0 0.0
.dynamic 560 560 0 0.0
.got 14936 14936 0 0.0
.init 24 24 0 0.0
.init_array 184 184 0 0.0
.rodata 457932 457932 0 0.0
.text 7405588 7405588 0 0.0
lighting-app debug+rpc (read only) 2314097 2314097 0 0.0
(read/write) 153536 153536 0 0.0
.bss 74944 74944 0 0.0
.data 2048 2048 0 0.0
.data.rel.ro 70776 70776 0 0.0
.dynamic 608 608 0 0.0
.got 4344 4344 0 0.0
.init 27 27 0 0.0
.init_array 792 792 0 0.0
.rodata 186760 186760 0 0.0
.text 1961970 1961970 0 0.0
lock-app debug (read only) 2253241 2253241 0 0.0
(read/write) 148600 148600 0 0.0
.bss 73632 73632 0 0.0
.data 1568 1568 0 0.0
.data.rel.ro 67704 67704 0 0.0
.dynamic 592 592 0 0.0
.got 4336 4336 0 0.0
.init 27 27 0 0.0
.init_array 752 752 0 0.0
.rodata 200168 200168 0 0.0
.text 1893138 1893138 0 0.0
ota-provider-app debug (read only) 2066369 2066369 0 0.0
(read/write) 141360 141360 0 0.0
.bss 73024 73024 0 0.0
.data 1768 1768 0 0.0
.data.rel.ro 60776 60776 0 0.0
.dynamic 608 608 0 0.0
.got 4504 4504 0 0.0
.init 27 27 0 0.0
.init_array 648 648 0 0.0
.rodata 179768 179768 0 0.0
.text 1728034 1728034 0 0.0
ota-requestor-app debug (read only) 2095489 2095489 0 0.0
(read/write) 144200 144200 0 0.0
.bss 73728 73728 0 0.0
.data 1960 1960 0 0.0
.data.rel.ro 62872 62872 0 0.0
.dynamic 592 592 0 0.0
.got 4344 4344 0 0.0
.init 27 27 0 0.0
.init_array 672 672 0 0.0
.rodata 175776 175776 0 0.0
.text 1759682 1759682 0 0.0
shell debug (read only) 2555537 2555537 0 0.0
(read/write) 201744 201744 0 0.0
.bss 117416 117416 0 0.0
.data 1376 1376 0 0.0
.data.rel.ro 77208 77208 0 0.0
.dynamic 608 608 0 0.0
.got 4192 4192 0 0.0
.init 27 27 0 0.0
.init_array 928 928 0 0.0
.rodata 222194 222194 0 0.0
.text 2174258 2174258 0 0.0
thermostat-no-ble arm64 (read only) 2359708 2359708 0 0.0
(read/write) 177377 177377 0 0.0
.bss 88177 88177 0 0.0
.data 1520 1520 0 0.0
.data.rel.ro 79872 79872 0 0.0
.dynamic 560 560 0 0.0
.got 4768 4768 0 0.0
.init 24 24 0 0.0
.init_array 376 376 0 0.0
.rodata 147404 147404 0 0.0
.text 1983344 1983344 0 0.0
tv-app debug (read only) 2875017 2875017 0 0.0
(read/write) 280368 280368 0 0.0
.bss 191304 191304 0 0.0
.data 4672 4672 0 0.0
.data.rel.ro 78120 78120 0 0.0
.dynamic 592 592 0 0.0
.got 4728 4728 0 0.0
.init 27 27 0 0.0
.init_array 928 928 0 0.0
.rodata 221728 221728 0 0.0
.text 2470802 2470802 0 0.0
tv-casting-app debug (read only) 5432729 5432729 0 0.0
(read/write) 226256 226256 0 0.0
.bss 78888 78888 0 0.0
.data 2400 2400 0 0.0
.data.rel.ro 138736 138736 0 0.0
.dynamic 608 608 0 0.0
.got 4728 4728 0 0.0
.init 27 27 0 0.0
.init_array 864 864 0 0.0
.rodata 339264 339264 0 0.0
.text 4734114 4734114 0 0.0
mbed lock-app CY8CPROTO_062_4343W+release (read only) 6224 6224 0 0.0
(read/write) 2423816 2423816 0 0.0
.bss 202868 202868 0 0.0
.data 5872 5872 0 0.0
.text 1386460 1386460 0 0.0
nrfconnect all-clusters-app nrf52840dk_nrf52840 (read/write) 1181367 1181367 0 0.0
bss 139560 139560 0 0.0
rodata 152656 152656 0 0.0
text 810304 810304 0 0.0
p6 all-clusters-app default (read/write) 2536592 2536592 0 0.0
.bss 137352 137352 0 0.0
.data 2800 2800 0 0.0
.text 1494856 1494856 0 0.0
light-app default (read/write) 2419880 2419880 0 0.0
.bss 129688 129688 0 0.0
.data 2600 2600 0 0.0
.text 1378144 1378144 0 0.0
lock-app default (read/write) 2437912 2437912 0 0.0
.bss 129496 129496 0 0.0
.data 2568 2568 0 0.0
.text 1396176 1396176 0 0.0
telink light-switch-app tlsr9518adk80d (read/write) 779400 779400 0 0.0
bss 70824 70824 0 0.0
noinit 40416 40416 0 0.0
text 551116 551116 0 0.0
lighting-app tlsr9518adk80d (read/write) 799424 799424 0 0.0
bss 71076 71076 0 0.0
noinit 40416 40416 0 0.0
text 567850 567850 0 0.0

@andy31415 andy31415 merged commit 3956a9d into project-chip:master May 26, 2022
@bzbarsky-apple bzbarsky-apple deleted the fix-openthread-endpoint-buffers branch May 26, 2022 20:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andy31415 andy31415 andy31415 approved these changes

@jepenven-silabs jepenven-silabs jepenven-silabs approved these changes

@anush-apple anush-apple Awaiting requested review from anush-apple

@arkq arkq Awaiting requested review from arkq

@Byungjoo-Lee Byungjoo-Lee Awaiting requested review from Byungjoo-Lee

@carol-apple carol-apple Awaiting requested review from carol-apple

@chrisdecenzo chrisdecenzo Awaiting requested review from chrisdecenzo

@chshu chshu Awaiting requested review from chshu

@chulspro chulspro Awaiting requested review from chulspro

@Damian-Nordic Damian-Nordic Awaiting requested review from Damian-Nordic

@dhrishi dhrishi Awaiting requested review from dhrishi

@electrocucaracha electrocucaracha Awaiting requested review from electrocucaracha

@erjiaqing erjiaqing Awaiting requested review from erjiaqing

@franck-apple franck-apple Awaiting requested review from franck-apple

@gjc13 gjc13 Awaiting requested review from gjc13

@hawk248 hawk248 Awaiting requested review from hawk248

@harsha-rajendran harsha-rajendran Awaiting requested review from harsha-rajendran

@isiu-apple isiu-apple Awaiting requested review from isiu-apple

@jelderton jelderton Awaiting requested review from jelderton

@jmartinez-silabs jmartinez-silabs Awaiting requested review from jmartinez-silabs

@jtung-apple jtung-apple Awaiting requested review from jtung-apple

@kghost kghost Awaiting requested review from kghost

@kpschoedel kpschoedel Awaiting requested review from kpschoedel

@lazarkov lazarkov Awaiting requested review from lazarkov

@LuDuda LuDuda Awaiting requested review from LuDuda

@mlepage-google mlepage-google Awaiting requested review from mlepage-google

@msandstedt msandstedt Awaiting requested review from msandstedt

@rgoliver rgoliver Awaiting requested review from rgoliver

@robszewczyk robszewczyk Awaiting requested review from robszewczyk

@sagar-apple sagar-apple Awaiting requested review from sagar-apple

@saurabhst saurabhst Awaiting requested review from saurabhst

@selissia selissia Awaiting requested review from selissia

@tecimovic tecimovic Awaiting requested review from tecimovic

@tehampson tehampson Awaiting requested review from tehampson

@turon turon Awaiting requested review from turon

@vijs vijs Awaiting requested review from vijs

@vivien-apple vivien-apple Awaiting requested review from vivien-apple

@wbschiller wbschiller Awaiting requested review from wbschiller

@woody-apple woody-apple Awaiting requested review from woody-apple

@xylophone21 xylophone21 Awaiting requested review from xylophone21

@yufengwangca yufengwangca Awaiting requested review from yufengwangca

@yunhanw-google yunhanw-google Awaiting requested review from yunhanw-google

Assignees
No one assigned
Labels
inet review - approved
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bzbarsky-apple @andy31415 @jepenven-silabs