Hello David,
I know it is extremely late in the release cycle, but please accept this single (and small) change intended for net.
This bug-fix provided by Sven Eckelmann prevents a wrong memory access in setups with multiple interfaces enslaved in batman-adv (very common nowadays).
When such bad access is performed the code ends up filling with random data an internal data structure used to compute the links metric, thus leading to undefined behaviours.
This bug is there since ever, therefore it would be really nice if could get it queued for inclusion in stable.
Please pull or let me know of any problem! Thanks a lot, Antonio
The following changes since commit 51cb67c0b0fcb91581b15bd2e85f29af4d4b2df6:
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net (2016-01-06 16:15:03 -0800)
are available in the git repository at:
git://git.open-mesh.org/linux-merge.git tags/batman-adv-fix-for-davem
for you to fetch changes up to 13bbdd370f67aef3351ad7bbc2fb624e3c23f905:
batman-adv: Fix invalid read while copying bat_iv.bcast_own (2016-01-07 14:24:05 +0800)
---------------------------------------------------------------- Included change: - Fix invalid read while copying bat_iv.bcast_own by Sven Eckelmann
---------------------------------------------------------------- Sven Eckelmann (1): batman-adv: Fix invalid read while copying bat_iv.bcast_own
net/batman-adv/bat_iv_ogm.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
From: Sven Eckelmann sven@narfation.org
batadv_iv_ogm_orig_del_if removes a part of the bcast_own which previously belonged to the now removed interface. This is done by copying all data which comes before the removed interface and then appending all the data which comes after the removed interface.
The address calculation for the position of the data which comes after the removed interface assumed that the bat_iv.bcast_own is a pointer to a single byte datatype. But it is a pointer to unsigned long and thus the calculated position was wrong off factor sizeof(unsigned long).
Fixes: 83a8342678a0 ("more basic routing code added (forwarding packets / bitarray added)")
Signed-off-by: Sven Eckelmann sven@narfation.org Signed-off-by: Marek Lindner mareklindner@neomailbox.ch Signed-off-by: Antonio Quartulli a@unstable.cc --- net/batman-adv/bat_iv_ogm.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c index 912d9c3..aa94b4e 100644 --- a/net/batman-adv/bat_iv_ogm.c +++ b/net/batman-adv/bat_iv_ogm.c @@ -185,7 +185,8 @@ unlock: static int batadv_iv_ogm_orig_del_if(struct batadv_orig_node *orig_node, int max_if_num, int del_if_num) { - int chunk_size, ret = -ENOMEM, if_offset; + int ret = -ENOMEM; + size_t chunk_size, if_offset; void *data_ptr = NULL;
spin_lock_bh(&orig_node->bat_iv.ogm_cnt_lock); @@ -203,8 +204,9 @@ static int batadv_iv_ogm_orig_del_if(struct batadv_orig_node *orig_node, memcpy(data_ptr, orig_node->bat_iv.bcast_own, del_if_num * chunk_size);
/* copy second part */ + if_offset = (del_if_num + 1) * chunk_size; memcpy((char *)data_ptr + del_if_num * chunk_size, - orig_node->bat_iv.bcast_own + ((del_if_num + 1) * chunk_size), + (uint8_t *)orig_node->bat_iv.bcast_own + if_offset, (max_if_num - del_if_num) * chunk_size);
free_bcast_own:
Sorry, missed the batman-adv prefix.
Cheers,
From: Antonio Quartulli a@unstable.cc Date: Thu, 7 Jan 2016 15:26:26 +0800
I know it is extremely late in the release cycle, but please accept this single (and small) change intended for net.
Pulled, thanks Antonio.
b.a.t.m.a.n@lists.open-mesh.org
-
Antonio Quartulli -
David Miller