Skip to content

Commit c25249a

Browse files
committed
Add improved buffer protection to ZMQ
1 parent 65983f3 commit c25249a

File tree

5 files changed

+24
-22
lines changed

5 files changed

+24
-22
lines changed

include/csp/csp_id.h

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -94,6 +94,8 @@ int csp_id_get_header_size(void);
9494
*/
9595
void csp_id_prepend_fixup_cspv1(csp_packet_t * packet);
9696

97+
csp_id_t csp_id_extract(const uint8_t * data);
98+
9799
/**
98100
* Strip CSPv1-compatible ID header (ZMQ fixup).
99101
*
@@ -113,6 +115,13 @@ static inline void csp_id_prepend_fixup_cspv1(csp_packet_t * packet) {
113115
csp_id_prepend(packet);
114116
}
115117

118+
/**
119+
* Wrapper for csp_id_extract when no fixup is required.
120+
*/
121+
static inline csp_id_t csp_id_extract_fixup_cspv1(const uint8_t * data) {
122+
return csp_id_extract(data);
123+
}
124+
116125
/**
117126
* Wrapper for csp_id_strip when no fixup is required.
118127
*/

src/csp_id.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -231,7 +231,7 @@ int csp_id_strip_fixup_cspv1(csp_packet_t * packet) {
231231
return -1;
232232
}
233233

234-
packet->id = csp_id_extract_cspv1(packet->frame_begin);
234+
packet->id = csp_id_extract_fixup_cspv1(packet->frame_begin);
235235
packet->length = packet->frame_length - csp_id_get_header_size();
236236
return 0;
237237
}

src/interfaces/csp_if_can.c

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -54,11 +54,14 @@ static int csp_can1_rx(csp_iface_t * iface, uint32_t id, const uint8_t * data, u
5454
memcpy(header, data, CFP1_CSP_HEADER_SIZE);
5555
csp_id_t csp_id = csp_id_extract(header);
5656
packet = csp_can_pbuf_new(ifdata, id, csp_id, task_woken);
57-
packet->id = csp_id;
5857
if (packet == NULL) {
5958
iface->drop++;
6059
return CSP_ERR_NOBUFS;
6160
}
61+
62+
csp_id_setup_rx(packet);
63+
packet->id = csp_id;
64+
6265
memcpy(packet->frame_begin, data, CFP1_CSP_HEADER_SIZE);
6366
packet->frame_length += CFP1_CSP_HEADER_SIZE;
6467
} else {
@@ -82,8 +85,6 @@ static int csp_can1_rx(csp_iface_t * iface, uint32_t id, const uint8_t * data, u
8285
break;
8386
}
8487

85-
csp_id_setup_rx(packet);
86-
8788
/* Copy CSP length (of data) */
8889
memcpy(&(packet->length), data + CFP1_CSP_HEADER_SIZE, CFP1_DATA_LEN_SIZE);
8990
packet->length = be16toh(packet->length);

src/interfaces/csp_if_eth.c

Lines changed: 4 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -180,9 +180,7 @@ int csp_eth_rx(csp_iface_t * iface, csp_eth_header_t * eth_frame, uint32_t recei
180180
return CSP_ERR_INVAL;
181181
}
182182

183-
uint8_t csp_header[6];
184-
memcpy(csp_header, eth_frame->frame_begin, 6);
185-
csp_id_t csp_id = csp_id_extract(csp_header);
183+
csp_id_t csp_id = csp_id_extract(eth_frame->frame_begin);
186184

187185
csp_packet_t * packet = csp_eth_pbuf_find(ifdata, packet_id, csp_id, task_woken);
188186

@@ -195,6 +193,7 @@ int csp_eth_rx(csp_iface_t * iface, csp_eth_header_t * eth_frame, uint32_t recei
195193
if (packet->frame_length == 0) {
196194
/* First segment */
197195
csp_id_setup_rx(packet);
196+
packet->id = csp_id;
198197
packet->frame_length = frame_length;
199198
packet->rx_count = 0;
200199
}
@@ -221,14 +220,9 @@ int csp_eth_rx(csp_iface_t * iface, csp_eth_header_t * eth_frame, uint32_t recei
221220
return CSP_ERR_NONE;
222221
}
223222

224-
csp_eth_pbuf_free(ifdata, packet, false, task_woken);
223+
packet->length = packet->frame_length - csp_id_get_header_size();
225224

226-
if (csp_id_strip(packet) != 0) {
227-
csp_print("eth rx packet discarded due to error in ID field\n");
228-
iface->frame++;
229-
(task_woken) ? csp_buffer_free_isr(packet) : csp_buffer_free(packet);
230-
return CSP_ERR_INVAL;
231-
}
225+
csp_eth_pbuf_free(ifdata, packet, false, task_woken);
232226

233227
/* Record CSP and MAC addresses of source */
234228
csp_eth_arp_set_addr(eth_frame->ether_shost, packet->id.src);

src/interfaces/csp_if_zmqhub.c

Lines changed: 6 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -134,8 +134,10 @@ static void * csp_zmqhub_task(void * param) {
134134
uint8_t * rx_data = zmq_msg_data(&msg);
135135
rx_data = csp_zmqhub_fixup_cspv1_del_dest_addr(rx_data, &datalen);
136136

137+
csp_id_t csp_id = csp_id_extract_fixup_cspv1(rx_data);
138+
137139
// Create new csp packet
138-
if (csp_iflist_get_by_addr(*((uint16_t*)&rx_data[2]) & 0x3FFF) != NULL) {
140+
if (csp_iflist_get_by_addr(csp_id.dst) != NULL) {
139141
/* The packet is for us, make sure we don't silently ignore the situation if we can't process it */
140142
packet = csp_buffer_get_always();
141143
} else {
@@ -150,17 +152,13 @@ static void * csp_zmqhub_task(void * param) {
150152
}
151153

152154
csp_id_setup_rx(packet);
155+
packet->id = csp_id;
153156

154157
memcpy(packet->frame_begin, rx_data, datalen);
155158
packet->frame_length = datalen;
159+
/* Extract data length */
160+
packet->length = packet->frame_length - csp_id_get_header_size();
156161

157-
/* Parse the frame and strip the ID field */
158-
if (csp_id_strip_fixup_cspv1(packet) != 0) {
159-
drv->iface.rx_error++;
160-
csp_buffer_free(packet);
161-
zmq_msg_close(&msg);
162-
continue;
163-
}
164162

165163
// Route packet
166164
csp_qfifo_write(packet, &drv->iface, NULL);

0 commit comments

Comments
 (0)