Hi David,
we have identified and fixed 2 more critical bugs in the linux-3.1 code base. We are somewhat late in the 3.1 release cycle but hoped to take advantage of the delayed release to get these patches included before the final version is out. If not I will have to send these patches to stable@ and would like to see these patches applied to net-next-2.6/3.2. No merge conflicts are to be expected. Let us know what works best for you.
Thanks, Marek
The following changes since commit 8b267b312df9343fea3bd679c509b36214b5a854:
batman-adv: do_bcast has to be true for broadcast packets only (2011-09-22 20:27:10 +0200)
are available in the git repository at: git://git.open-mesh.org/linux-merge.git batman-adv/maint
Antonio Quartulli (2): batman-adv: fix tt_local_reset_flags() function batman-adv: correctly set the data field in the TT_REPONSE packet
net/batman-adv/translation-table.c | 7 ++++++- 1 files changed, 6 insertions(+), 1 deletions(-)
From: Antonio Quartulli ordex@autistici.org
Currently the counter of tt_local_entry structures (tt_local_num) is incremented each time the tt_local_reset_flags() is invoked causing the node to send wrong TT_REPONSE packets containing a copy of non-initialised memory thus corrupting other nodes global translation table and making higher level communication impossible.
Reported-by: Junkeun Song jun361@gmail.com Signed-off-by: Antonio Quartulli ordex@autistici.org Acked-by: Junkeun Song jun361@gmail.com Signed-off-by: Marek Lindner lindner_marek@yahoo.de --- net/batman-adv/translation-table.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c index fb6931d..f599db9 100644 --- a/net/batman-adv/translation-table.c +++ b/net/batman-adv/translation-table.c @@ -1668,6 +1668,8 @@ static void tt_local_reset_flags(struct bat_priv *bat_priv, uint16_t flags) rcu_read_lock(); hlist_for_each_entry_rcu(tt_local_entry, node, head, hash_entry) { + if (!(tt_local_entry->flags & flags)) + continue; tt_local_entry->flags &= ~flags; atomic_inc(&bat_priv->num_local_tt); }
From: Antonio Quartulli ordex@autistici.org
In the TT_RESPONSE packet, the number of carried entries is not correctly set. This leads to a wrong interpretation of the packet payload on the receiver side causing random entries to be added to the global translation table. Therefore the latter gets always corrupted, triggering a table recovery all the time.
Signed-off-by: Antonio Quartulli ordex@autistici.org Signed-off-by: Marek Lindner lindner_marek@yahoo.de --- net/batman-adv/translation-table.c | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c index f599db9..ef1acfd 100644 --- a/net/batman-adv/translation-table.c +++ b/net/batman-adv/translation-table.c @@ -999,7 +999,6 @@ static struct sk_buff *tt_response_fill_table(uint16_t tt_len, uint8_t ttvn, tt_response = (struct tt_query_packet *)skb_put(skb, tt_query_size + tt_len); tt_response->ttvn = ttvn; - tt_response->tt_data = htons(tt_tot);
tt_change = (struct tt_change *)(skb->data + tt_query_size); tt_count = 0; @@ -1025,6 +1024,10 @@ static struct sk_buff *tt_response_fill_table(uint16_t tt_len, uint8_t ttvn, } rcu_read_unlock();
+ /* store in the message the number of entries we have successfully + * copied */ + tt_response->tt_data = htons(tt_count); + out: return skb; }
From: Marek Lindner lindner_marek@yahoo.de Date: Tue, 18 Oct 2011 23:01:07 +0200
we have identified and fixed 2 more critical bugs in the linux-3.1 code base. We are somewhat late in the 3.1 release cycle but hoped to take advantage of the delayed release to get these patches included before the final version is out.
Pulled, thanks Marek.
b.a.t.m.a.n@lists.open-mesh.org
-
David Miller -
Marek Lindner