skb_linearize(skb) possibly rearranges the skb internal data and then changes the skb->data pointer value. For this reason any other pointer in the code that was assigned skb->data before invoking skb_linearise(skb) must be re-assigned.
In the current tt_query message handling code this is not done and therefore, in case of skb linearization, the pointer used to handle the packet header ends up in pointing to free'd memory.
This bug was introduced by a73105b8d4c765d9ebfb664d0a66802127d8e4c7 (batman-adv: improved client announcement mechanism)
Signed-off-by: Antonio Quartulli ordex@autistici.org Cc: stable@vger.kernel.org ---
This patch has already been merged in net-next. I am sorry about that, but we were missing some knowledge about sending patches for stable.
Thank you, Antonio
net/batman-adv/routing.c | 2 ++ 1 file changed, 2 insertions(+)
diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c index 840e2c6..015471d 100644 --- a/net/batman-adv/routing.c +++ b/net/batman-adv/routing.c @@ -617,6 +617,8 @@ int recv_tt_query(struct sk_buff *skb, struct hard_iface *recv_if) * changes */ if (skb_linearize(skb) < 0) goto out; + /* skb_linearize() possibly changed skb->data */ + tt_query = (struct tt_query_packet *)skb->data;
tt_len = tt_query->tt_data * sizeof(struct tt_change);
From: Antonio Quartulli ordex@autistici.org Date: Tue, 19 Jun 2012 21:26:39 +0200
This patch has already been merged in net-next. I am sorry about that, but we were missing some knowledge about sending patches for stable.
You really like making my life miserable.
What is so damn complicated about:
1) BUG FIXES go to 'net'
2) NON BUG FIXES go to 'net-next'
This gets stated repeatedly here.
I do see you guys erroneously submit bug fixes into net-next all the time but I just assumed you simply didn't give a shit about bug fixes propagating quickly.
You guys definitely need to get your asses in gear.
From: Antonio Quartulli ordex@autistici.org Date: Tue, 19 Jun 2012 21:26:39 +0200
skb_linearize(skb) possibly rearranges the skb internal data and then changes the skb->data pointer value. For this reason any other pointer in the code that was assigned skb->data before invoking skb_linearise(skb) must be re-assigned.
In the current tt_query message handling code this is not done and therefore, in case of skb linearization, the pointer used to handle the packet header ends up in pointing to free'd memory.
This bug was introduced by a73105b8d4c765d9ebfb664d0a66802127d8e4c7 (batman-adv: improved client announcement mechanism)
Signed-off-by: Antonio Quartulli ordex@autistici.org Cc: stable@vger.kernel.org
Applied.
Submit things properly in the future so you don't give me unnecessary merge hassles like this again.
b.a.t.m.a.n@lists.open-mesh.org
-
Antonio Quartulli -
David Miller