commit 2c995ff892313009e336ecc8ec3411022f5b1c39 upstream.
skb_linearize(skb) possibly rearranges the skb internal data and then changes the skb->data pointer value. For this reason any other pointer in the code that was assigned skb->data before invoking skb_linearise(skb) must be re-assigned.
In the current tt_query message handling code this is not done and therefore, in case of skb linearization, the pointer used to handle the packet header ends up in pointing to poisoned memory. The packet is then dropped but the translation-table mechanism is corrupted.
Signed-off-by: Antonio Quartulli ordex@autistici.org Signed-off-by: Sven Eckelmann sven@narfation.org --- Hello,
the patch committed upstream already contains Cc: stable@vger.kernel.org but that patch does apply only on 3.5, 3.4 and 3.3.
This patch is a backport for kernel versions 3.1 and 3.2
Thank you, Antonio
net/batman-adv/routing.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c index 0f32c81..55136e5 100644 --- a/net/batman-adv/routing.c +++ b/net/batman-adv/routing.c @@ -1246,6 +1246,8 @@ int recv_tt_query(struct sk_buff *skb, struct hard_iface *recv_if) /* packet needs to be linearised to access the TT changes */ if (skb_linearize(skb) < 0) goto out; + /* skb_linearize() possibly changed skb->data */ + tt_query = (struct tt_query_packet *)skb->data;
if (is_my_mac(tt_query->dst)) handle_tt_response(bat_priv, tt_query);
From: Marek Lindner lindner_marek@yahoo.de
commit 5870adc68fc39d81089f1e80efdf64b97e5c37a1 upstream
bug introduced with 59b699cdee039d75915c354da06937102d1f9a84
If the source or destination mac address of an ethernet packet could not be found in the translation table the packet was dropped if AP isolation was turned on. This behavior would make it impossible to send broadcast packets over the mesh as the broadcast address will never enter the translation table.
Signed-off-by: Marek Lindner lindner_marek@yahoo.de Acked-by: Antonio Quartulli ordex@autistici.org --- net/batman-adv/translation-table.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c index a66c2dc..660c40f 100644 --- a/net/batman-adv/translation-table.c +++ b/net/batman-adv/translation-table.c @@ -2031,10 +2031,10 @@ bool is_ap_isolated(struct bat_priv *bat_priv, uint8_t *src, uint8_t *dst) { struct tt_local_entry *tt_local_entry = NULL; struct tt_global_entry *tt_global_entry = NULL; - bool ret = true; + bool ret = false;
if (!atomic_read(&bat_priv->ap_isolation)) - return false; + goto out;
tt_local_entry = tt_local_hash_find(bat_priv, dst); if (!tt_local_entry) @@ -2044,10 +2044,10 @@ bool is_ap_isolated(struct bat_priv *bat_priv, uint8_t *src, uint8_t *dst) if (!tt_global_entry) goto out;
- if (_is_ap_isolated(tt_local_entry, tt_global_entry)) + if (!_is_ap_isolated(tt_local_entry, tt_global_entry)) goto out;
- ret = false; + ret = true;
out: if (tt_global_entry)
On Fri, 2012-06-29 at 22:58 +0200, Antonio Quartulli wrote:
From: Marek Lindner lindner_marek@yahoo.de
commit 5870adc68fc39d81089f1e80efdf64b97e5c37a1 upstream
bug introduced with 59b699cdee039d75915c354da06937102d1f9a84
If the source or destination mac address of an ethernet packet could not be found in the translation table the packet was dropped if AP isolation was turned on. This behavior would make it impossible to send broadcast packets over the mesh as the broadcast address will never enter the translation table.
[...]
Are you OK with this going into 3.2.y, David?
Ben.
From: Ben Hutchings ben@decadent.org.uk Date: Sun, 01 Jul 2012 04:04:07 +0100
On Fri, 2012-06-29 at 22:58 +0200, Antonio Quartulli wrote:
From: Marek Lindner lindner_marek@yahoo.de
commit 5870adc68fc39d81089f1e80efdf64b97e5c37a1 upstream
bug introduced with 59b699cdee039d75915c354da06937102d1f9a84
If the source or destination mac address of an ethernet packet could not be found in the translation table the packet was dropped if AP isolation was turned on. This behavior would make it impossible to send broadcast packets over the mesh as the broadcast address will never enter the translation table.
[...]
Are you OK with this going into 3.2.y, David?
Yes.
On Fri, 2012-06-29 at 22:58 +0200, Antonio Quartulli wrote:
commit 2c995ff892313009e336ecc8ec3411022f5b1c39 upstream.
skb_linearize(skb) possibly rearranges the skb internal data and then changes the skb->data pointer value. For this reason any other pointer in the code that was assigned skb->data before invoking skb_linearise(skb) must be re-assigned.
In the current tt_query message handling code this is not done and therefore, in case of skb linearization, the pointer used to handle the packet header ends up in pointing to poisoned memory. The packet is then dropped but the translation-table mechanism is corrupted.
Signed-off-by: Antonio Quartulli ordex@autistici.org Signed-off-by: Sven Eckelmann sven@narfation.org
Hello,
the patch committed upstream already contains Cc: stable@vger.kernel.org but that patch does apply only on 3.5, 3.4 and 3.3.
This patch is a backport for kernel versions 3.1 and 3.2
[...]
--- a/net/batman-adv/routing.c +++ b/net/batman-adv/routing.c @@ -1246,6 +1246,8 @@ int recv_tt_query(struct sk_buff *skb, struct hard_iface *recv_if) /* packet needs to be linearised to access the TT changes */
Interesting context; the spelling of 'linearized' doesn't match and the line numbers are way off. :-)
But OK, I've added this to the queue.
Ben.
if (skb_linearize(skb) < 0) goto out;
/* skb_linearize() possibly changed skb->data */tt_query = (struct tt_query_packet *)skb->data;if (is_my_mac(tt_query->dst)) handle_tt_response(bat_priv, tt_query);
b.a.t.m.a.n@lists.open-mesh.org
-
Antonio Quartulli -
Ben Hutchings -
David Miller