Before accessing the TT_RESPONSE message payload, we have to ensure that the real length of the packet reflect the claimed one (contained in tt_response->tt_data field)

Reported-by: Simon Wunderlich siwu@hrz.tu-chemnitz.de Signed-off-by: Antonio Quartulli ordex@autistici.org --- routing.c | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-)

diff --git a/routing.c b/routing.c index 1a5d046..21a68a2 100644 --- a/routing.c +++ b/routing.c @@ -578,6 +578,7 @@ int recv_tt_query(struct sk_buff *skb, struct hard_iface *recv_if) { struct bat_priv *bat_priv = netdev_priv(recv_if->soft_iface); struct tt_query_packet *tt_query; + uint16_t tt_len; struct ethhdr *ethhdr;

/* drop packet if it has not necessary minimum size */ @@ -621,6 +622,17 @@ int recv_tt_query(struct sk_buff *skb, struct hard_iface *recv_if) if (skb_linearize(skb) < 0) goto out;

+ if (tt_query->flags & TT_FULL_TABLE) + tt_len = tt_query->tt_data * ETH_ALEN; + else + tt_len = tt_query->tt_data * + sizeof(struct tt_change); + + /* Ensure we have all the claimed data */ + if (unlikely(skb->length != sizeof(struct tt_query) + + tt_len)) + goto out; + handle_tt_response(bat_priv, tt_query); } else { bat_dbg(DBG_TT, bat_priv,