pull request net: batman-adv 2013-04-22

pull request net: batman-adv 2013-04-22

[Antonio Quartulli]

here we have another (I think the last) fix intended for net/linux-3.9.

This patch fixes a bug in the Translation Table component. In particular, when
batman-adv accesses the "inner Ethernet header", it has have to jump over its
header which can have two different lengths. The current code assumes
that this length is always the same and so leading to a wrong access.
This patch fixes it by making the "jump" generic.

The bug is not very critical because it "only" breaks our "smart rerouting
feature" and does not lead to a crash since the memory it accesses is always
allocated. I would send it to stable, but you can decide whether it is worth or
not.


Please pull or let me know if there is any problem.
Thanks a lot,
	Antonio

The following changes since commit 60d509fa6a9c4653a86ad830e4c4b30360b23f0e:

  Linux 3.9-rc8 (2013-04-21 14:38:45 -0700)

are available in the git repository at:

  git://git.open-mesh.org/linux-merge.git tags/batman-adv-fix-for-davem

for you to fetch changes up to dd981ab091cde09bb9eb23c8d81305ba615ee30c:

  batman-adv: use the proper header len when checking the TTVN (2013-04-22 09:55:23 +0200)

----------------------------------------------------------------
Included changes:
- fix Ethernet header access by jumping the correct batman-adv header

----------------------------------------------------------------
Antonio Quartulli (1):
      batman-adv: use the proper header len when checking the TTVN

 net/batman-adv/routing.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

[PATCH] batman-adv: use the proper header len when checking the TTVN

[Antonio Quartulli]

From: Antonio Quartulli <antonio@open-mesh.com>

Unicast packet might be of type either UNICAST or
UNICAST4ADDR.
In the two cases the header size is different, but the
mechanism checking the TTVN field was assuming it to be
always of the same type (UNICAST), so failing to access the
inner Ethernet header in case of UNICAST4ADDR.

Fix this by passing the real header length as argument.

Signed-off-by: Antonio Quartulli <antonio@open-mesh.com>
Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
---
 net/batman-adv/routing.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c
index 319f290..7de0336 100644
--- a/net/batman-adv/routing.c
+++ b/net/batman-adv/routing.c
@@ -924,7 +924,7 @@ out:
 }
 
 static int batadv_check_unicast_ttvn(struct batadv_priv *bat_priv,
-				     struct sk_buff *skb) {
+				     struct sk_buff *skb, int hdr_len) {
 	uint8_t curr_ttvn, old_ttvn;
 	struct batadv_orig_node *orig_node;
 	struct ethhdr *ethhdr;
@@ -933,7 +933,7 @@ static int batadv_check_unicast_ttvn(struct batadv_priv *bat_priv,
 	int is_old_ttvn;
 
 	/* check if there is enough data before accessing it */
-	if (pskb_may_pull(skb, sizeof(*unicast_packet) + ETH_HLEN) < 0)
+	if (pskb_may_pull(skb, hdr_len + ETH_HLEN) < 0)
 		return 0;
 
 	/* create a copy of the skb (in case of for re-routing) to modify it. */
@@ -941,7 +941,7 @@ static int batadv_check_unicast_ttvn(struct batadv_priv *bat_priv,
 		return 0;
 
 	unicast_packet = (struct batadv_unicast_packet *)skb->data;
-	ethhdr = (struct ethhdr *)(skb->data + sizeof(*unicast_packet));
+	ethhdr = (struct ethhdr *)(skb->data + hdr_len);
 
 	/* check if the destination client was served by this node and it is now
 	 * roaming. In this case, it means that the node has got a ROAM_ADV
@@ -1048,8 +1048,7 @@ int batadv_recv_unicast_packet(struct sk_buff *skb,
 
 	if (batadv_check_unicast_packet(bat_priv, skb, hdr_size) < 0)
 		return NET_RX_DROP;
-
-	if (!batadv_check_unicast_ttvn(bat_priv, skb))
+	if (!batadv_check_unicast_ttvn(bat_priv, skb, hdr_size))
 		return NET_RX_DROP;
 
 	/* packet for me */
@@ -1093,7 +1092,7 @@ int batadv_recv_ucast_frag_packet(struct sk_buff *skb,
 	if (batadv_check_unicast_packet(bat_priv, skb, hdr_size) < 0)
 		return NET_RX_DROP;
 
-	if (!batadv_check_unicast_ttvn(bat_priv, skb))
+	if (!batadv_check_unicast_ttvn(bat_priv, skb, hdr_size))
 		return NET_RX_DROP;
 
 	unicast_packet = (struct batadv_unicast_frag_packet *)skb->data;
-- 
1.8.1.5

Re: pull request net: batman-adv 2013-04-22

[David Miller]

From: Antonio Quartulli <ordex@autistici.org>
Date: Mon, 22 Apr 2013 10:38:13 +0200

> here we have another (I think the last) fix intended for net/linux-3.9.
> 
> This patch fixes a bug in the Translation Table component. In particular, when
> batman-adv accesses the "inner Ethernet header", it has have to jump over its
> header which can have two different lengths. The current code assumes
> that this length is always the same and so leading to a wrong access.
> This patch fixes it by making the "jump" generic.
> 
> The bug is not very critical because it "only" breaks our "smart rerouting
> feature" and does not lead to a crash since the memory it accesses is always
> allocated. I would send it to stable, but you can decide whether it is worth or
> not.

Pulled, thanks.