Hello David,
This is a single fix intended for net/linux-3.9 brought by Marek Lindner. It ensures that the incoming originator message parsing routine does not try to read beyond the packet boundary causing it to process random data.
This bug is in since a while..Please, consider sending this patch to stable.
Please pull or let me know if there is any problem! Thank you, Antonio
The following changes since commit 7c6baa304b841673d3a55ea4fcf9a5cbf7a1674b:
Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip (2013-03-11 07:54:29 -0700)
are available in the git repository at:
git://git.open-mesh.org/linux-merge.git tags/batman-adv-fix-for-davem
for you to fetch changes up to b47506d91259c29b9c75c404737eb6525556f9b4:
batman-adv: verify tt len does not exceed packet len (2013-03-11 22:59:47 +0100)
---------------------------------------------------------------- Included changes ares: - fix packet parsing routine to avoid to read beyond the packet boundary
---------------------------------------------------------------- Marek Lindner (1): batman-adv: verify tt len does not exceed packet len
net/batman-adv/bat_iv_ogm.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
From: Marek Lindner lindner_marek@yahoo.de
batadv_iv_ogm_process() accesses the packet using the tt_num_changes attribute regardless of the real packet len (assuming the length check was done before). Therefore a length check is needed to avoid reading random memory.
Signed-off-by: Marek Lindner lindner_marek@yahoo.de Signed-off-by: Antonio Quartulli ordex@autistici.org --- net/batman-adv/bat_iv_ogm.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c index a0b253e..a5bb0a7 100644 --- a/net/batman-adv/bat_iv_ogm.c +++ b/net/batman-adv/bat_iv_ogm.c @@ -1288,7 +1288,8 @@ static int batadv_iv_ogm_receive(struct sk_buff *skb, batadv_ogm_packet = (struct batadv_ogm_packet *)packet_buff;
/* unpack the aggregated packets and process them one by one */ - do { + while (batadv_iv_ogm_aggr_packet(buff_pos, packet_len, + batadv_ogm_packet->tt_num_changes)) { tt_buff = packet_buff + buff_pos + BATADV_OGM_HLEN;
batadv_iv_ogm_process(ethhdr, batadv_ogm_packet, tt_buff, @@ -1299,8 +1300,7 @@ static int batadv_iv_ogm_receive(struct sk_buff *skb,
packet_pos = packet_buff + buff_pos; batadv_ogm_packet = (struct batadv_ogm_packet *)packet_pos; - } while (batadv_iv_ogm_aggr_packet(buff_pos, packet_len, - batadv_ogm_packet->tt_num_changes)); + }
kfree_skb(skb); return NET_RX_SUCCESS;
From: Antonio Quartulli ordex@autistici.org Date: Mon, 11 Mar 2013 23:12:27 +0100
This is a single fix intended for net/linux-3.9 brought by Marek Lindner. It ensures that the incoming originator message parsing routine does not try to read beyond the packet boundary causing it to process random data.
This bug is in since a while..Please, consider sending this patch to stable.
Please pull or let me know if there is any problem!
Pulled and queued up for -stable.
b.a.t.m.a.n@lists.open-mesh.org
-
Antonio Quartulli -
David Miller