f1f7684c2c
The upcoming batman-adv 2016.2 contains multiple new features, code refactoring and similar things. These may not be fitting for Chaos Calmer but the changes in the maintenance branch (bugfixes) should be integrated to increase the stability. Signed-off-by: Sven Eckelmann <sven@narfation.org>
31 lines
1.2 KiB
Diff
31 lines
1.2 KiB
Diff
From: Sven Eckelmann <sven@narfation.org>
|
|
Date: Sun, 29 May 2016 21:25:52 +0200
|
|
Subject: [PATCH] batman-adv: Fix ICMP RR ethernet access after skb_linearize
|
|
|
|
The skb_linearize may reallocate the skb. This makes the calculated pointer
|
|
for ethhdr invalid. But it the pointer is used later to fill in the RR
|
|
field of the batadv_icmp_packet_rr packet.
|
|
|
|
Instead re-evaluate eth_hdr after the skb_linearize+skb_cow to fix the
|
|
pointer and avoid the invalid read.
|
|
|
|
Fixes: bb69cb678d37 ("batman-adv: generalize batman-adv icmp packet handling")
|
|
Signed-off-by: Sven Eckelmann <sven@narfation.org>
|
|
|
|
Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/f6c80c29ef4e8b45b715976107b7ae06fc0be3a0
|
|
---
|
|
net/batman-adv/routing.c | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
|
|
index 0c0c30e..27e07dd 100644
|
|
--- a/net/batman-adv/routing.c
|
|
+++ b/net/batman-adv/routing.c
|
|
@@ -374,6 +374,7 @@ int batadv_recv_icmp_packet(struct sk_buff *skb,
|
|
if (skb_cow(skb, ETH_HLEN) < 0)
|
|
goto out;
|
|
|
|
+ ethhdr = eth_hdr(skb);
|
|
icmph = (struct batadv_icmp_header *)skb->data;
|
|
icmp_packet_rr = (struct batadv_icmp_packet_rr *)icmph;
|
|
if (icmp_packet_rr->rr_cur >= BATADV_RR_LEN)
|