From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:53584 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1758790AbcEFTd4 (ORCPT ); Fri, 6 May 2016 15:33:56 -0400 Subject: Patch "batman-adv: Check skb size before using encapsulated ETH+VLAN header" has been added to the 4.5-stable tree To: sven@narfation.org, a@unstable.cc, gregkh@linuxfoundation.org, mareklindner@neomailbox.ch Cc: , From: Date: Fri, 06 May 2016 14:37:10 -0400 Message-ID: <146255983011530@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled batman-adv: Check skb size before using encapsulated ETH+VLAN header to the 4.5-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: batman-adv-check-skb-size-before-using-encapsulated-eth-vlan-header.patch and it can be found in the queue-4.5 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From c78296665c3d81f040117432ab9e1cb125521b0c Mon Sep 17 00:00:00 2001 From: Sven Eckelmann Date: Fri, 26 Feb 2016 17:56:13 +0100 Subject: batman-adv: Check skb size before using encapsulated ETH+VLAN header From: Sven Eckelmann commit c78296665c3d81f040117432ab9e1cb125521b0c upstream. The encapsulated ethernet and VLAN header may be outside the received ethernet frame. Thus the skb buffer size has to be checked before it can be parsed to find out if it encapsulates another batman-adv packet. Fixes: 420193573f11 ("batman-adv: softif bridge loop avoidance") Signed-off-by: Sven Eckelmann Signed-off-by: Marek Lindner Signed-off-by: Antonio Quartulli Signed-off-by: Greg Kroah-Hartman --- net/batman-adv/soft-interface.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) --- a/net/batman-adv/soft-interface.c +++ b/net/batman-adv/soft-interface.c @@ -407,11 +407,17 @@ void batadv_interface_rx(struct net_devi */ nf_reset(skb); + if (unlikely(!pskb_may_pull(skb, ETH_HLEN))) + goto dropped; + vid = batadv_get_vid(skb, 0); ethhdr = eth_hdr(skb); switch (ntohs(ethhdr->h_proto)) { case ETH_P_8021Q: + if (!pskb_may_pull(skb, VLAN_ETH_HLEN)) + goto dropped; + vhdr = (struct vlan_ethhdr *)skb->data; if (vhdr->h_vlan_encapsulated_proto != ethertype) @@ -423,8 +429,6 @@ void batadv_interface_rx(struct net_devi } /* skb->dev & skb->pkt_type are set here */ - if (unlikely(!pskb_may_pull(skb, ETH_HLEN))) - goto dropped; skb->protocol = eth_type_trans(skb, soft_iface); /* should not be necessary anymore as we use skb_pull_rcsum() Patches currently in stable-queue which might be from sven@narfation.org are queue-4.5/batman-adv-reduce-refcnt-of-removed-router-when-updating-route.patch queue-4.5/batman-adv-check-skb-size-before-using-encapsulated-eth-vlan-header.patch queue-4.5/batman-adv-fix-broadcast-ogm-queue-limit-on-a-removed-interface.patch queue-4.5/batman-adv-fix-dat-candidate-selection-must-use-vid.patch