On Monday 01 December 2014 13:59:44 Sven Eckelmann wrote:
The fragmentation code was replaced in 9b3eab61754d74a93c9840c296013fe3b4a1b606 ("batman-adv: Receive fragmented packets and merge") by an implementation which can handle up to 16 fragments of a packet. The packet is prepared for the split in fragments by the function batadv_frag_send_packet and the actual split is done by batadv_frag_create.
Both functions calculate the size of a fragment themself. But their calculation differs because batadv_frag_send_packet also subtracts ETH_HLEN. Therefore, the check in batadv_frag_send_packet if a full fragment can be created may return true even when batadv_frag_create cannot create a full fragment.
The function batadv_frag_create doesn't check the size of the skb before splitting it and therefore might try to create a larger fragment than the remaining buffer. This creates an integer underflow and an invalid len is given to skb_split.
Signed-off-by: Sven Eckelmann sven@narfation.org
fragmentation.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Applied in revision eddbc3d.
Thanks, Marek