• Sven Eckelmann's avatar
    batman-adv: Expand merged fragment buffer for full packet · d7d8bbb4
    Sven Eckelmann authored
    The complete size ("total_size") of the fragmented packet is stored in the
    fragment header and in the size of the fragment chain. When the fragments
    are ready for merge, the skbuff's tail of the first fragment is expanded to
    have enough room after the data pointer for at least total_size. This means
    that it gets expanded by total_size - first_skb->len.
    
    But this is ignoring the fact that after expanding the buffer, the fragment
    header is pulled by from this buffer. Assuming that the tailroom of the
    buffer was already 0, the buffer after the data pointer of the skbuff is
    now only total_size - len(fragment_header) large. When the merge function
    is then processing the remaining fragments, the code to copy the data over
    to the merged skbuff will cause an skb_over_panic when it tries to actually
    put enough data to fill the total_size bytes of the packet.
    
    The size of the skb_pull must therefore also be taken into account when the
    buffer's tailroom is expanded.
    
    Fixes: 610bfc6b ("batman-adv: Receive fragmented packets and merge")
    Reported-by: default avatarMartin Weinelt <martin@darmstadt.freifunk.net>
    Co-authored-by: default avatarLinus Lüssing <linus.luessing@c0d3.blue>
    Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
    Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
    d7d8bbb4
fragmentation.c 16.2 KB