[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ULE Linux kernel code



Dear all,

this is to inform you about recent finding and changes to the Linux
Kernel ULE code, which we are about to submit soon. Please let us know
whether you have any questions and/or comments.

1. Fixed check of SNDU length.
Explanation:
The SNDU length was not checked correctly, thus leaving the possibility
for a kernel panic if receiving malformed SNDUs.
Solution:
Now, the SNDU length is considered invalid if it is less then 5. The
reasoning for this is that an SNDU must always carry at least one
 byte of payload and the CRC32 (4 Bytes).

2. Added check of return value from functions which handle mandatory
extension headers (e.g. ule_test_sndu)

3. Fixed handling of optional extension headers.
Explanation:
When processing optional extension headers, the length of the extension
header was not calculated correctly.
Also the next header type field was assumed to be after the optional
extension header. In fact, it is a part of it (always the last two bytes).
Solution:
The length calc. and next header type field access for optional ext.
headers have been fixed.

4. Fixed check of destination address in presence of extension headers.
Explanation:
The destination address was assumed to be after any extension headers.
Thus, the extension headers were processed before comparing the
destination address with the actual address of the receiver. After that,
the total length of the ext. headers was removed from the buffer (skb)
also including the destination address.
Solution:
Now, the destination address (if present) is checked before processing
any extension headers. The destination address is saved in a local
buffer because it may be required for constructing the ethernet header.

5. Fixed/Improved filtering on destination address (if present in ULE SNDU)
(1) Now, everything is passed up the stack if in promiscious mode.
(2) The address of the receiver device and the broadcast address
(FF:FF:FF:FF:FF:FF) are always accepted.
(3) If in multicast mode, all addresses in the multicast address list
are accepted (in addition to 2).
(4) If in all-multicast mode, all multicast addresses are accepted (in
addition to 2).

6. Reduced timeout value for TS cells to 10 ms.

7. Fixed arguments for setting TS feed properties.
The documentation for DVB-API v3 and what is actually present in the
Linux kernel seem to be out of sync.
The set() function for TS feeds differs in the DVB API version 3
document and the Linux kernel version:
int set(dmx ts feed t* feed, u16 pid, size_t callback length, size_t
circular buffer size, int descramble, struct timespec timeout);
Actually implemented in the 2.6.15 Kernel:
int dmx_ts_feed_set(struct dmx_ts_feed *ts_feed, u16 pid, int ts_type,
enum dmx_ts_pes pes_type, size_t circular_buffer_size, struct t
imespec timeout);


Regards,
Bernhard and Christian