On Monday 01 December 2014 13:59:44 Sven Eckelmann wrote:
> The fragmentation code was replaced in
> 9b3eab61754d74a93c9840c296013fe3b4a1b606 ("batman-adv: Receive fragmented
> packets and merge") by an implementation which can handle up to 16
> fragments of a packet. The packet is prepared for the split in fragments by
> the function batadv_frag_send_packet and the actual split is done by
> batadv_frag_create.
> 
> Both functions calculate the size of a fragment themself. But their
> calculation differs because batadv_frag_send_packet also subtracts
> ETH_HLEN. Therefore, the check in batadv_frag_send_packet if a full
> fragment can be created may return true even when batadv_frag_create cannot
> create a full fragment.
> 
> The function batadv_frag_create doesn't check the size of the skb before
> splitting it and therefore might try to create a larger fragment than the
> remaining buffer. This creates an integer underflow and an invalid len is
> given to skb_split.
> 
> Signed-off-by: Sven Eckelmann <sven@narfation.org>
> ---
>  fragmentation.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

Applied in revision eddbc3d.

Thanks,
Marek