Hi,

On 12/11/14 18:58, Sven Eckelmann wrote:
> batctl tcpdump has an array with all known TVLVs and versions. The correct
> parser for the TVLV is chosen by getting the pointer from the address
> calculated by version and type. Unfortunately, the version and type was never
> validated to ensure that not an unknown TVLV (like mcast) was received.
> 
> This missing validation makes it possible to crash batctl by injecting packets
> with an unknown type and/or version. batctl will try to get the parser, fetch a
> NULL pointer or random data and then try to dereferenced it. This is usually
> handled by the operating system with a segfault. But this might be exploitable
> in rare situations.
> 
> An approach to handle this problem is by combining the simple selection step
> with the validation step. Only valid version+type will return a parser function
> pointer and the requesting function will only call the parser function pointer
> when it got one.
> 
> This regression was introduced by 4c39fb823b86036df40187f8bd342fe5398c28ef
> ("batctl: tcpdump - parse TVLV containers").
> 
> Signed-off-by: Sven Eckelmann <sven@narfation.org>


For the whole series:

Acked-by: Antonio Quartulli <antonio@meshcoding.com>

Thank you very much for your work Sven!

@Marek: the offending patch is in next, therefore this patchset should
be merged there as well.


Cheers,

-- 
Antonio Quartulli