[B.A.T.M.A.N.] [PATCH net 10/10] batman-adv: fix potential kernel paging error for unicast transmissions

[B.A.T.M.A.N.] [PATCH net 10/10] batman-adv: fix potential kernel paging error for unicast transmissions

[Antonio Quartulli]

batadv_send_skb_prepare_unicast(_4addr) might reallocate the
skb's data. If it does then our ethhdr pointer is not valid
anymore in batadv_send_skb_unicast(), resulting in a kernel
paging error.

Fixing this by refetching the ethhdr pointer after the
potential reallocation.

Introduced by 3275e7cc84fb0574e9662e8e74c3b1dab38f7143
("batman-adv: improve unicast packet (re)routing")

Reported-by: Linus Lüssing <linus.luessing@web.de>
Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
---

***This patch is not supposed to be merged in the batman-adv
repository***

This is a substitutive patch that I am going to send to net
instead of the one that we have in maint (same subject).
I am doing this because the original patch together with all
the bugfixes that followed it cannot be considered a "simple
bugfix" anymore and I'd rather prefer to send it to net-next
with a later pull request.

This patch instead fixes the same problem but in a much
simpler way (does not use of eth_hdr()).

I sent it over the ml for peer review. If nobody has any
objection I will send it to net.

@Linus: I'd like to add your signed-off to this patch
because it is essentially your patch but just reworked a
bit. Please let me know what you think.


Cheers,


 net/batman-adv/send.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/net/batman-adv/send.c b/net/batman-adv/send.c
index 579f5f0..2f378a1 100644
--- a/net/batman-adv/send.c
+++ b/net/batman-adv/send.c
@@ -254,9 +254,9 @@ static int batadv_send_skb_unicast(struct batadv_priv *bat_priv,
 				   struct batadv_orig_node *orig_node,
 				   unsigned short vid)
 {
-	struct ethhdr *ethhdr = (struct ethhdr *)skb->data;
+	struct ethhdr *ethhdr;
 	struct batadv_unicast_packet *unicast_packet;
-	int ret = NET_XMIT_DROP;
+	int ret = NET_XMIT_DROP, hdr_size;
 
 	if (!orig_node)
 		goto out;
@@ -265,12 +265,16 @@ static int batadv_send_skb_unicast(struct batadv_priv *bat_priv,
 	case BATADV_UNICAST:
 		if (!batadv_send_skb_prepare_unicast(skb, orig_node))
 			goto out;
+
+		hdr_size = sizeof(*unicast_packet);
 		break;
 	case BATADV_UNICAST_4ADDR:
 		if (!batadv_send_skb_prepare_unicast_4addr(bat_priv, skb,
 							   orig_node,
 							   packet_subtype))
 			goto out;
+
+		hdr_size = sizeof(struct batadv_unicast_packet_4addr);
 		break;
 	default:
 		/* this function supports UNICAST and UNICAST_4ADDR only. It
@@ -279,6 +283,7 @@ static int batadv_send_skb_unicast(struct batadv_priv *bat_priv,
 		goto out;
 	}
 
+	eth_hdr = (struct eth_hdr *)(skb->data + hdr_size);
 	unicast_packet = (struct batadv_unicast_packet *)skb->data;
 
 	/* inform the destination node that we are still missing a correct route
-- 
1.8.5.3