Commit 5b161002 authored by David S. Miller's avatar David S. Miller

Merge tag 'batadv-net-for-davem-20190830' of git://git.open-mesh.org/linux-merge

Simon Wunderlich says:

====================
Here are two batman-adv bugfixes:

 - Fix OGM and OGMv2 header read boundary check,
   by Sven Eckelmann (2 patches)
====================
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents c3d7a089 0ff0f15a
...@@ -277,17 +277,23 @@ static u8 batadv_hop_penalty(u8 tq, const struct batadv_priv *bat_priv) ...@@ -277,17 +277,23 @@ static u8 batadv_hop_penalty(u8 tq, const struct batadv_priv *bat_priv)
* batadv_iv_ogm_aggr_packet() - checks if there is another OGM attached * batadv_iv_ogm_aggr_packet() - checks if there is another OGM attached
* @buff_pos: current position in the skb * @buff_pos: current position in the skb
* @packet_len: total length of the skb * @packet_len: total length of the skb
* @tvlv_len: tvlv length of the previously considered OGM * @ogm_packet: potential OGM in buffer
* *
* Return: true if there is enough space for another OGM, false otherwise. * Return: true if there is enough space for another OGM, false otherwise.
*/ */
static bool batadv_iv_ogm_aggr_packet(int buff_pos, int packet_len, static bool
__be16 tvlv_len) batadv_iv_ogm_aggr_packet(int buff_pos, int packet_len,
const struct batadv_ogm_packet *ogm_packet)
{ {
int next_buff_pos = 0; int next_buff_pos = 0;
next_buff_pos += buff_pos + BATADV_OGM_HLEN; /* check if there is enough space for the header */
next_buff_pos += ntohs(tvlv_len); next_buff_pos += buff_pos + sizeof(*ogm_packet);
if (next_buff_pos > packet_len)
return false;
/* check if there is enough space for the optional TVLV */
next_buff_pos += ntohs(ogm_packet->tvlv_len);
return (next_buff_pos <= packet_len) && return (next_buff_pos <= packet_len) &&
(next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES); (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES);
...@@ -315,7 +321,7 @@ static void batadv_iv_ogm_send_to_if(struct batadv_forw_packet *forw_packet, ...@@ -315,7 +321,7 @@ static void batadv_iv_ogm_send_to_if(struct batadv_forw_packet *forw_packet,
/* adjust all flags and log packets */ /* adjust all flags and log packets */
while (batadv_iv_ogm_aggr_packet(buff_pos, forw_packet->packet_len, while (batadv_iv_ogm_aggr_packet(buff_pos, forw_packet->packet_len,
batadv_ogm_packet->tvlv_len)) { batadv_ogm_packet)) {
/* we might have aggregated direct link packets with an /* we might have aggregated direct link packets with an
* ordinary base packet * ordinary base packet
*/ */
...@@ -1704,7 +1710,7 @@ static int batadv_iv_ogm_receive(struct sk_buff *skb, ...@@ -1704,7 +1710,7 @@ static int batadv_iv_ogm_receive(struct sk_buff *skb,
/* unpack the aggregated packets and process them one by one */ /* unpack the aggregated packets and process them one by one */
while (batadv_iv_ogm_aggr_packet(ogm_offset, skb_headlen(skb), while (batadv_iv_ogm_aggr_packet(ogm_offset, skb_headlen(skb),
ogm_packet->tvlv_len)) { ogm_packet)) {
batadv_iv_ogm_process(skb, ogm_offset, if_incoming); batadv_iv_ogm_process(skb, ogm_offset, if_incoming);
ogm_offset += BATADV_OGM_HLEN; ogm_offset += BATADV_OGM_HLEN;
......
...@@ -631,17 +631,23 @@ batadv_v_ogm_process_per_outif(struct batadv_priv *bat_priv, ...@@ -631,17 +631,23 @@ batadv_v_ogm_process_per_outif(struct batadv_priv *bat_priv,
* batadv_v_ogm_aggr_packet() - checks if there is another OGM aggregated * batadv_v_ogm_aggr_packet() - checks if there is another OGM aggregated
* @buff_pos: current position in the skb * @buff_pos: current position in the skb
* @packet_len: total length of the skb * @packet_len: total length of the skb
* @tvlv_len: tvlv length of the previously considered OGM * @ogm2_packet: potential OGM2 in buffer
* *
* Return: true if there is enough space for another OGM, false otherwise. * Return: true if there is enough space for another OGM, false otherwise.
*/ */
static bool batadv_v_ogm_aggr_packet(int buff_pos, int packet_len, static bool
__be16 tvlv_len) batadv_v_ogm_aggr_packet(int buff_pos, int packet_len,
const struct batadv_ogm2_packet *ogm2_packet)
{ {
int next_buff_pos = 0; int next_buff_pos = 0;
next_buff_pos += buff_pos + BATADV_OGM2_HLEN; /* check if there is enough space for the header */
next_buff_pos += ntohs(tvlv_len); next_buff_pos += buff_pos + sizeof(*ogm2_packet);
if (next_buff_pos > packet_len)
return false;
/* check if there is enough space for the optional TVLV */
next_buff_pos += ntohs(ogm2_packet->tvlv_len);
return (next_buff_pos <= packet_len) && return (next_buff_pos <= packet_len) &&
(next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES); (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES);
...@@ -818,7 +824,7 @@ int batadv_v_ogm_packet_recv(struct sk_buff *skb, ...@@ -818,7 +824,7 @@ int batadv_v_ogm_packet_recv(struct sk_buff *skb,
ogm_packet = (struct batadv_ogm2_packet *)skb->data; ogm_packet = (struct batadv_ogm2_packet *)skb->data;
while (batadv_v_ogm_aggr_packet(ogm_offset, skb_headlen(skb), while (batadv_v_ogm_aggr_packet(ogm_offset, skb_headlen(skb),
ogm_packet->tvlv_len)) { ogm_packet)) {
batadv_v_ogm_process(skb, ogm_offset, if_incoming); batadv_v_ogm_process(skb, ogm_offset, if_incoming);
ogm_offset += BATADV_OGM2_HLEN; ogm_offset += BATADV_OGM2_HLEN;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment