Hi,
On 12/11/14 18:58, Sven Eckelmann wrote:
batctl tcpdump has an array with all known TVLVs and versions. The correct parser for the TVLV is chosen by getting the pointer from the address calculated by version and type. Unfortunately, the version and type was never validated to ensure that not an unknown TVLV (like mcast) was received.
This missing validation makes it possible to crash batctl by injecting packets with an unknown type and/or version. batctl will try to get the parser, fetch a NULL pointer or random data and then try to dereferenced it. This is usually handled by the operating system with a segfault. But this might be exploitable in rare situations.
An approach to handle this problem is by combining the simple selection step with the validation step. Only valid version+type will return a parser function pointer and the requesting function will only call the parser function pointer when it got one.
This regression was introduced by 4c39fb823b86036df40187f8bd342fe5398c28ef ("batctl: tcpdump - parse TVLV containers").
Signed-off-by: Sven Eckelmann sven@narfation.org
For the whole series:
Acked-by: Antonio Quartulli antonio@meshcoding.com
Thank you very much for your work Sven!
@Marek: the offending patch is in next, therefore this patchset should be merged there as well.
Cheers,