The TT_RESPONSE message can be linearised only if we plan to access the tt payload (only if the message is directed to me). In all the other cases we can avoid this memory operation
Signed-off-by: Antonio Quartulli ordex@autistici.org ---
corrected typo in the commit message
routing.c | 11 ++++++----- 1 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/routing.c b/routing.c index f961cc5..20804f4 100644 --- a/routing.c +++ b/routing.c @@ -616,13 +616,14 @@ int recv_tt_query(struct sk_buff *skb, struct hard_iface *recv_if) } break; case TT_RESPONSE: - /* packet needs to be linearized to access the TT changes */ - if (skb_linearize(skb) < 0) - goto out; + if (is_my_mac(tt_query->dst)) { + /* packet needs to be linearized to access the TT + * changes */ + if (skb_linearize(skb) < 0) + goto out;
- if (is_my_mac(tt_query->dst)) handle_tt_response(bat_priv, tt_query); - else { + } else { bat_dbg(DBG_TT, bat_priv, "Routing TT_RESPONSE to %pM [%c]\n", tt_query->dst,
Before accessing the TT_RESPONSE message payload, we have to ensure that the real length of the packet reflect the claimed one (contained in tt_response->tt_data field)
Reported-by: Simon Wunderlich siwu@hrz.tu-chemnitz.de Signed-off-by: Antonio Quartulli ordex@autistici.org ---
corrected skb length check
routing.c | 13 +++++++++++++ 1 files changed, 13 insertions(+), 0 deletions(-)
diff --git a/routing.c b/routing.c index 20804f4..af55cf7 100644 --- a/routing.c +++ b/routing.c @@ -578,6 +578,7 @@ int recv_tt_query(struct sk_buff *skb, struct hard_iface *recv_if) { struct bat_priv *bat_priv = netdev_priv(recv_if->soft_iface); struct tt_query_packet *tt_query; + uint16_t tt_len; struct ethhdr *ethhdr;
/* drop packet if it has not necessary minimum size */ @@ -622,6 +623,18 @@ int recv_tt_query(struct sk_buff *skb, struct hard_iface *recv_if) if (skb_linearize(skb) < 0) goto out;
+ if (tt_query->flags & TT_FULL_TABLE) + tt_len = tt_query->tt_data * ETH_ALEN; + else + tt_len = tt_query->tt_data * + sizeof(struct tt_change); + + /* Ensure we have all the claimed data */ + if (unlikely(skb_headlen(skb) < + sizeof(struct tt_query_packet) + + tt_len)) + goto out; + handle_tt_response(bat_priv, tt_query); } else { bat_dbg(DBG_TT, bat_priv,
On Wednesday, October 12, 2011 15:10:58 Antonio Quartulli wrote:
if (tt_query->flags & TT_FULL_TABLE)
tt_len = tt_query->tt_data * ETH_ALEN;
Odd, I had the feeling the full table also uses 'struct tt_change' and not plain ethernet addresses anymore.
From translation-table.c (send_my_tt_response): tt_len = (uint16_t)atomic_read(&bat_priv->num_local_tt) * sizeof(struct tt_change);
Regards, Marek
b.a.t.m.a.n@lists.open-mesh.org
-
Antonio Quartulli -
Marek Lindner