diff mbox

[1/1] ieee802154-cc2520: Check CRC

Message ID 1450660533-38184-2-git-send-email-bradjc5@gmail.com (mailing list archive)
State Superseded
Headers show

Commit Message

Brad Campbell Dec. 21, 2015, 1:15 a.m. UTC
Add checking the "CRC_OK" bit at the end of incoming packets to make
sure the cc2520 driver only passes up valid packets. Because the AUTOCRC
bit in the FRMCTRL0 register is set to 1 after init, the CC2520 handles
checking the CRC of incoming packets and sets the most significant bit
of the last byte of the incoming packet to 1 if the check passed. This
patch simply checks that bit.

Signed-off-by: Brad Campbell <bradjc5@gmail.com>
---
 drivers/net/ieee802154/cc2520.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

Comments

Alexander Aring Dec. 21, 2015, 11:54 a.m. UTC | #1
Hi,

On Sun, Dec 20, 2015 at 08:15:33PM -0500, Brad Campbell wrote:
> Add checking the "CRC_OK" bit at the end of incoming packets to make
> sure the cc2520 driver only passes up valid packets. Because the AUTOCRC
> bit in the FRMCTRL0 register is set to 1 after init, the CC2520 handles
> checking the CRC of incoming packets and sets the most significant bit
> of the last byte of the incoming packet to 1 if the check passed. This
> patch simply checks that bit.
> 
> Signed-off-by: Brad Campbell <bradjc5@gmail.com>
> ---
>  drivers/net/ieee802154/cc2520.c | 11 +++++++++++
>  1 file changed, 11 insertions(+)
> 
> diff --git a/drivers/net/ieee802154/cc2520.c b/drivers/net/ieee802154/cc2520.c
> index e65b605..b54edbf 100644
> --- a/drivers/net/ieee802154/cc2520.c
> +++ b/drivers/net/ieee802154/cc2520.c
> @@ -450,6 +450,17 @@ cc2520_read_rxfifo(struct cc2520_private *priv, u8 *data, u8 len, u8 *lqi)
>  
>  	mutex_unlock(&priv->buffer_mutex);
>  
> +	/* If we are reading the actual packet and not just the length byte,
> +	 * check that the CRC is valid.
> +	 */
> +	if (len > 1) {
> +		/* Most significant bit of the last byte of the data buffer
> +		 * is a 1 bit CRC indicator. See section 20.3.4.
> +		 */
> +		if (data[len - 1] >> 7 == 0)
> +			return -EINVAL;
> +	}
> +

Doing an access with "len" which I supposed it's the _transmitted_ len
field of PHR, you need to verify the length field that it's not above
127 which is _phy_ mtu length.

The PHR doesn't reach the mac802154 layer, so we always do such
filtering inside the driver layer.

Look for function "ieee802154_is_valid_psdu_len(len)", example [0].

In general "don't use the len PHR field if you don't check if it's
valid". I also don't know what happens when mac802154 get's an skb above
_phy_ mtu. We should filter on this _always_ inside driver-layer after
receiving. The disadvantage is: monitor interfaces doesn't get such
frames, but it's very rarely that a transceiver receive such bad frame.


I would not bet on, that cc2520 does filter the length field. I had
expierence in other transceiver and the most datasheets give not much
information about such handling exactly.

Nevertheless such check doesn't count for performance, simple add such
handling for drop the frame then. :-)

btw:

Why not:

(!(data[len - 1] & BIT(7)))

then BIT(7) is compile time and not doing shifting operation at runtime.

- Alex

[0] http://lxr.free-electrons.com/source/drivers/net/ieee802154/at86rf230.c#L705
--
To unsubscribe from this list: send the line "unsubscribe linux-wpan" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Alexander Aring Dec. 21, 2015, 12:57 p.m. UTC | #2
On Mon, Dec 21, 2015 at 12:54:18PM +0100, Alexander Aring wrote:
> Hi,
> 
> On Sun, Dec 20, 2015 at 08:15:33PM -0500, Brad Campbell wrote:
> > Add checking the "CRC_OK" bit at the end of incoming packets to make
> > sure the cc2520 driver only passes up valid packets. Because the AUTOCRC
> > bit in the FRMCTRL0 register is set to 1 after init, the CC2520 handles
> > checking the CRC of incoming packets and sets the most significant bit
> > of the last byte of the incoming packet to 1 if the check passed. This
> > patch simply checks that bit.
> > 
> > Signed-off-by: Brad Campbell <bradjc5@gmail.com>
> > ---
> >  drivers/net/ieee802154/cc2520.c | 11 +++++++++++
> >  1 file changed, 11 insertions(+)
> > 
> > diff --git a/drivers/net/ieee802154/cc2520.c b/drivers/net/ieee802154/cc2520.c
> > index e65b605..b54edbf 100644
> > --- a/drivers/net/ieee802154/cc2520.c
> > +++ b/drivers/net/ieee802154/cc2520.c
> > @@ -450,6 +450,17 @@ cc2520_read_rxfifo(struct cc2520_private *priv, u8 *data, u8 len, u8 *lqi)
> >  
> >  	mutex_unlock(&priv->buffer_mutex);
> >  
> > +	/* If we are reading the actual packet and not just the length byte,
> > +	 * check that the CRC is valid.
> > +	 */
> > +	if (len > 1) {
> > +		/* Most significant bit of the last byte of the data buffer
> > +		 * is a 1 bit CRC indicator. See section 20.3.4.
> > +		 */
> > +		if (data[len - 1] >> 7 == 0)
> > +			return -EINVAL;
> > +	}
> > +
> 
> Doing an access with "len" which I supposed it's the _transmitted_ len
> field of PHR, you need to verify the length field that it's not above
> 127 which is _phy_ mtu length.
> 
> The PHR doesn't reach the mac802154 layer, so we always do such
> filtering inside the driver layer.
> 
> Look for function "ieee802154_is_valid_psdu_len(len)", example [0].
> 
> In general "don't use the len PHR field if you don't check if it's
> valid". I also don't know what happens when mac802154 get's an skb above
> _phy_ mtu. We should filter on this _always_ inside driver-layer after
> receiving. The disadvantage is: monitor interfaces doesn't get such
> frames, but it's very rarely that a transceiver receive such bad frame.
> 
> 
> I would not bet on, that cc2520 does filter the length field. I had
> expierence in other transceiver and the most datasheets give not much
> information about such handling exactly.
> 
> Nevertheless such check doesn't count for performance, simple add such
> handling for drop the frame then. :-)
> 

I actually see, the at86rf230 driver don't drop the frame then. The
frame length is more "unknown" then we use the full phy mtu of 127 for
reading out the framebuffer. (For handling monitor interfaces).

In case for checking your crc valid bit here, maybe do this handling
then when the len field is valid only.

note:
Also IF the driver supports promiscuous mode (it's currently not
supported by cc2520) then you need to turn off this handling as well.
But so far this driver doesn't support promiscuous mode, ignore this
handling then.
Otherwise the driver will filter bad crc frames and monitor interfaces
are there to see such frames inside userspace with e.g. wireshark.

- Alex
--
To unsubscribe from this list: send the line "unsubscribe linux-wpan" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/drivers/net/ieee802154/cc2520.c b/drivers/net/ieee802154/cc2520.c
index e65b605..b54edbf 100644
--- a/drivers/net/ieee802154/cc2520.c
+++ b/drivers/net/ieee802154/cc2520.c
@@ -450,6 +450,17 @@  cc2520_read_rxfifo(struct cc2520_private *priv, u8 *data, u8 len, u8 *lqi)
 
 	mutex_unlock(&priv->buffer_mutex);
 
+	/* If we are reading the actual packet and not just the length byte,
+	 * check that the CRC is valid.
+	 */
+	if (len > 1) {
+		/* Most significant bit of the last byte of the data buffer
+		 * is a 1 bit CRC indicator. See section 20.3.4.
+		 */
+		if (data[len - 1] >> 7 == 0)
+			return -EINVAL;
+	}
+
 	return status;
 }