The TT_RESPONSE skb has to be linearised only if the node plans to access the packet payload (so only if the message is directed to that node). In all the other cases the node can avoid this memory operation
Signed-off-by: Antonio Quartulli ordex@autistici.org --- routing.c | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/routing.c b/routing.c index 60ce407..e0e7b7b 100644 --- a/routing.c +++ b/routing.c @@ -616,13 +616,14 @@ int recv_tt_query(struct sk_buff *skb, struct hard_iface *recv_if) } break; case TT_RESPONSE: - /* packet needs to be linearized to access the TT changes */ - if (skb_linearize(skb) < 0) - goto out; + if (is_my_mac(tt_query->dst)) { + /* packet needs to be linearized to access the TT + * changes */ + if (skb_linearize(skb) < 0) + goto out;
- if (is_my_mac(tt_query->dst)) handle_tt_response(bat_priv, tt_query); - else { + } else { bat_dbg(DBG_TT, bat_priv, "Routing TT_RESPONSE to %pM [%c]\n", tt_query->dst,
Before accessing the TT_RESPONSE packet payload, the node has to ensure that the packet is long enough as it would expect to be.
Reported-by: Simon Wunderlich siwu@hrz.tu-chemnitz.de Signed-off-by: Antonio Quartulli ordex@autistici.org --- routing.c | 9 +++++++++ 1 files changed, 9 insertions(+), 0 deletions(-)
diff --git a/routing.c b/routing.c index e0e7b7b..ef24a72 100644 --- a/routing.c +++ b/routing.c @@ -578,6 +578,7 @@ int recv_tt_query(struct sk_buff *skb, struct hard_iface *recv_if) { struct bat_priv *bat_priv = netdev_priv(recv_if->soft_iface); struct tt_query_packet *tt_query; + uint16_t tt_len; struct ethhdr *ethhdr;
/* drop packet if it has not necessary minimum size */ @@ -622,6 +623,14 @@ int recv_tt_query(struct sk_buff *skb, struct hard_iface *recv_if) if (skb_linearize(skb) < 0) goto out;
+ tt_len = tt_query->tt_data * sizeof(struct tt_change); + + /* Ensure we have all the claimed data */ + if (unlikely(skb_headlen(skb) < + sizeof(struct tt_query_packet) + + tt_len)) + goto out; + handle_tt_response(bat_priv, tt_query); } else { bat_dbg(DBG_TT, bat_priv,
On Sunday, October 16, 2011 20:32:03 Antonio Quartulli wrote:
Before accessing the TT_RESPONSE packet payload, the node has to ensure that the packet is long enough as it would expect to be.
Patch was applied in revision e096f38.
Thanks, Marek
On Sunday, October 16, 2011 20:32:02 Antonio Quartulli wrote:
The TT_RESPONSE skb has to be linearised only if the node plans to access the packet payload (so only if the message is directed to that node). In all the other cases the node can avoid this memory operation
Patch was applied in revision 7f1b2a0.
Thanks, Marek
b.a.t.m.a.n@lists.open-mesh.org
-
Antonio Quartulli -
Marek Lindner