In order to support multiple TLVs, the transmit code must be able to
append one TLV after another. This patch adds a method that checks
whether there is room, allocates the TLV descriptor, sets the buffer
pointer, and appends the descriptor to the list.
Signed-off-by: Richard Cochran <richardcochran@gmail.com>
This patch changes the receive message parsing code to place each TLV
into the list. A method is introduced that allows attaching TLVs to
the end of the list.
In addition, msg.last_tlv is converted into a pointer to the last item
in the list. Because of this change, the transmit code that uses this
field now allocates a TLV before using it.
Signed-off-by: Richard Cochran <richardcochran@gmail.com>
In order to support multiple TLVs per message, a list is needed.
This patch adds the list to the message structure. This list will
eventually replace the 'last_tlv' field.
Signed-off-by: Richard Cochran <richardcochran@gmail.com>
Any code that wants to call one_step() needs to link with the static
global 'assume_two_step'. This patch moves that variable's definition
from ptp4l.c to msg.c. Not only is that file the more natural choice
(since the variable is used on msg.h) but also this allows other
programs to call the one_step() function.
Signed-off-by: Richard Cochran <richardcochran@gmail.com>
If the len is not enought for another tlv process. e.g. one more bytes
padding at the end of message. And we set extra to NULL instead of
msg->last_tlv in tlv_post_recv(). Then the msg->last_tlv will not be
initialised. And program will crash if we read msg->last_tlv. e.g. in
function pmc_show().
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
The message lists are implemented using a TAILQ from queue(3). The heads
of the list must be initialized using the provided macros, since the field
called 'tqh_last' is non-zero in the initial state. This patch fixes a
potential null pointer dereference by properly initializing the queues.
Note that there is no actual bug in the current code, because it uses the
lists in such a way as to initialize 'tqh_last' before any dereference.
Signed-off-by: Richard Cochran <richardcochran@gmail.com>
This patch adds proper byte order processing for the target port
identity field of management messages. This bug was not previously
noticed due to the fact that our client had always set this field
to the wild card port number of 0xffff.
Signed-off-by: Richard Cochran <richardcochran@gmail.com>
When there is a peer speaking PTPv1 in the network we want to silently ignore
the packets instead of flooding system log with error messages. At the same
time we still want to report malformed packets. For that we reuse standard
error numbers and do more fine-grained error reporting in packet processing
routines.
Signed-off-by: Libor Pechacek <lpechacek@suse.cz>
The 'struct ptp_message" includes a 64 bit integer field, ts.pdu.sec,
and this must be aligned to an eight byte boundary for armv5 machines.
Although the compiler puts the field at the right offset, we spoil this
by packing the struct with 20 bytes of head room. This patch fixes the
issue by realigning the message buffer.
Signed-off-by: Richard Cochran <richardcochran@gmail.com>
These flexible TLVs don't need to be represented as a single packed
struct directly in the message buffer. Instead a separate struct
contains pointers to the individual parts of the TLV in the message
buffer. The flexible TLV can only be the last TLV in a message.
Signed-off-by: Geoff Salmon <gsalmon@se-instruments.com>
The function, tlv_post_recv, and the functions it calls don't check
the length of the tlv before flipping the byte order of fields. An
attacker (or a really buggy client) can craft a message causing the
byte order of data outside the received message to be flipped.
None of the supported tlvs are large enough to flip bytes outside the
ptp_message struct, which could corrupt the heap. However, it's easy
to mess up the message's refcnt field, leading to memory leaks.
The fix is to check that the tlv length is what is expected when
receiving, and tlv_post_recv needs to return an int to signal when a
tlv is invalid.
Signed-off-by: Geoff Salmon <gsalmon@se-instruments.com>
The message code is horribly broken in three ways.
1. Clearing the message also sets the reference count to zero.
2. The recycling code in msg_put does not test the reference count.
3. The allocation code does not remove the message from the pool,
although this code was never reached because of point 2.
This patch fixes the issues and also adds some debugging code to trace
the message pool statistics.
Signed-off-by: Richard Cochran <richardcochran@gmail.com>
This patch is in preparation for handling the suffix TLV data. We will
need to use the structure size more than once.
Signed-off-by: Richard Cochran <richardcochran@gmail.com>