r1640 - trunk/batman-adv-kernelland - commits - lists.open-mesh.org

26 Apr 2010

Author: marek
Date: 2010-04-26 12:08:57 +0200 (Mon, 26 Apr 2010)
New Revision: 1640
Modified:
   trunk/batman-adv-kernelland/routing.c
Log:
batman-adv: Update pointer to ethhdr after skb_copy
We must ensure that all pointer to a socket buffer are updated when we
copy a socket buffer and free our reference to the old one.
Another part of the kernel could also free its reference which maybe
removes the buffer completely. In that situation we would would feed
wrong information to the routing algorithm after the memory area is
written again by someone else.
Signed-off-by: Sven Eckelmann sven.eckelmann@gmx.de
Modified: trunk/batman-adv-kernelland/routing.c
===================================================================

--- trunk/batman-adv-kernelland/routing.c	2010-04-20 12:46:57 UTC (rev 1639)
+++ trunk/batman-adv-kernelland/routing.c	2010-04-26 10:08:57 UTC (rev 1640)
@@ -747,6 +747,7 @@
    	skb = skb_copy(skb, GFP_ATOMIC);
    	if (!skb)
    		return NET_RX_DROP;
+		ethhdr = (struct ethhdr *)skb_mac_header(skb);
    	kfree_skb(skb_old);
    }
@@ -805,6 +806,7 @@
    		if (!skb)
    			return NET_RX_DROP;
    		icmp_packet = (struct icmp_packet_rr *)skb->data;
+			ethhdr = (struct ethhdr *)skb_mac_header(skb);
    		kfree_skb(skb_old);
    	}
@@ -865,6 +867,7 @@
    		if (!skb)
    			return NET_RX_DROP;
    		icmp_packet = (struct icmp_packet *) skb->data;
+			ethhdr = (struct ethhdr *)skb_mac_header(skb);
    		kfree_skb(skb_old);
    	}
@@ -960,6 +963,7 @@
    		if (!skb)
    			return NET_RX_DROP;
    		icmp_packet = (struct icmp_packet_rr *)skb->data;
+			ethhdr = (struct ethhdr *)skb_mac_header(skb);
    		kfree_skb(skb_old);
    	}
@@ -1106,6 +1110,7 @@
    	if (!skb)
    		return NET_RX_DROP;
    	unicast_packet = (struct unicast_packet *) skb->data;
+		ethhdr = (struct ethhdr *)skb_mac_header(skb);
    	kfree_skb(skb_old);
    }

    