here we have another (I think the last) fix intended for net/linux-3.9.
This patch fixes a bug in the Translation Table component. In particular, when batman-adv accesses the "inner Ethernet header", it has have to jump over its header which can have two different lengths. The current code assumes that this length is always the same and so leading to a wrong access. This patch fixes it by making the "jump" generic.
The bug is not very critical because it "only" breaks our "smart rerouting feature" and does not lead to a crash since the memory it accesses is always allocated. I would send it to stable, but you can decide whether it is worth or not.
Please pull or let me know if there is any problem. Thanks a lot, Antonio
The following changes since commit 60d509fa6a9c4653a86ad830e4c4b30360b23f0e:
Linux 3.9-rc8 (2013-04-21 14:38:45 -0700)
are available in the git repository at:
git://git.open-mesh.org/linux-merge.git tags/batman-adv-fix-for-davem
for you to fetch changes up to dd981ab091cde09bb9eb23c8d81305ba615ee30c:
batman-adv: use the proper header len when checking the TTVN (2013-04-22 09:55:23 +0200)
---------------------------------------------------------------- Included changes: - fix Ethernet header access by jumping the correct batman-adv header
---------------------------------------------------------------- Antonio Quartulli (1): batman-adv: use the proper header len when checking the TTVN
net/batman-adv/routing.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-)
From: Antonio Quartulli antonio@open-mesh.com
Unicast packet might be of type either UNICAST or UNICAST4ADDR. In the two cases the header size is different, but the mechanism checking the TTVN field was assuming it to be always of the same type (UNICAST), so failing to access the inner Ethernet header in case of UNICAST4ADDR.
Fix this by passing the real header length as argument.
Signed-off-by: Antonio Quartulli antonio@open-mesh.com Signed-off-by: Marek Lindner lindner_marek@yahoo.de --- net/batman-adv/routing.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c index 319f290..7de0336 100644 --- a/net/batman-adv/routing.c +++ b/net/batman-adv/routing.c @@ -924,7 +924,7 @@ out: }
static int batadv_check_unicast_ttvn(struct batadv_priv *bat_priv, - struct sk_buff *skb) { + struct sk_buff *skb, int hdr_len) { uint8_t curr_ttvn, old_ttvn; struct batadv_orig_node *orig_node; struct ethhdr *ethhdr; @@ -933,7 +933,7 @@ static int batadv_check_unicast_ttvn(struct batadv_priv *bat_priv, int is_old_ttvn;
/* check if there is enough data before accessing it */ - if (pskb_may_pull(skb, sizeof(*unicast_packet) + ETH_HLEN) < 0) + if (pskb_may_pull(skb, hdr_len + ETH_HLEN) < 0) return 0;
/* create a copy of the skb (in case of for re-routing) to modify it. */ @@ -941,7 +941,7 @@ static int batadv_check_unicast_ttvn(struct batadv_priv *bat_priv, return 0;
unicast_packet = (struct batadv_unicast_packet *)skb->data; - ethhdr = (struct ethhdr *)(skb->data + sizeof(*unicast_packet)); + ethhdr = (struct ethhdr *)(skb->data + hdr_len);
/* check if the destination client was served by this node and it is now * roaming. In this case, it means that the node has got a ROAM_ADV @@ -1048,8 +1048,7 @@ int batadv_recv_unicast_packet(struct sk_buff *skb,
if (batadv_check_unicast_packet(bat_priv, skb, hdr_size) < 0) return NET_RX_DROP; - - if (!batadv_check_unicast_ttvn(bat_priv, skb)) + if (!batadv_check_unicast_ttvn(bat_priv, skb, hdr_size)) return NET_RX_DROP;
/* packet for me */ @@ -1093,7 +1092,7 @@ int batadv_recv_ucast_frag_packet(struct sk_buff *skb, if (batadv_check_unicast_packet(bat_priv, skb, hdr_size) < 0) return NET_RX_DROP;
- if (!batadv_check_unicast_ttvn(bat_priv, skb)) + if (!batadv_check_unicast_ttvn(bat_priv, skb, hdr_size)) return NET_RX_DROP;
unicast_packet = (struct batadv_unicast_frag_packet *)skb->data;
From: Antonio Quartulli ordex@autistici.org Date: Mon, 22 Apr 2013 10:38:13 +0200
here we have another (I think the last) fix intended for net/linux-3.9.
This patch fixes a bug in the Translation Table component. In particular, when batman-adv accesses the "inner Ethernet header", it has have to jump over its header which can have two different lengths. The current code assumes that this length is always the same and so leading to a wrong access. This patch fixes it by making the "jump" generic.
The bug is not very critical because it "only" breaks our "smart rerouting feature" and does not lead to a crash since the memory it accesses is always allocated. I would send it to stable, but you can decide whether it is worth or not.
Pulled, thanks.
b.a.t.m.a.n@lists.open-mesh.org
-
Antonio Quartulli -
David Miller