batman-adv: Check size information when reassembling fragments
Commit Message
Hi Sven, hi Martin, hi all
I thought after 6 days with 3.17.4 without your patch the crashes had
been solved with the new kernel. But the server crashed again yesterday.
So I implement your patch.
Am Dienstag, den 25.11.2014, 19:39 +0100 schrieb Martin Hundebøll:
> Philipp:
> Can you please test this patch, and report back if it fixes your crash?
Patching was not trivial because the lines have changed. I did this
manually. I hope, I did it right. So now, after 10 h, there has been a
crash. I suggest, you tell me how to extract the bogus packages from the
vmcore dump so you can test them in the lab by yourselves. You also can
send me links with simple instructions to study to complete this task
because I do not know what to do.
Best regards
Philipp
Comments
Hi Sven, hi Martin, hi all
it’s me again. After 11 minutes in gw mode the VM crashes again. The
“attacker” is back. Its your chance for new patches ;-) I disable
fragmentation, lets see if it helps.
I think I might did a mistake. The kernel is compiled with gcc 4.7.3,
the patched module with 4.8.3. On the next crash I recompile the module.
Best regards
Philipp
@@ -162,6 +162,7 @@
hlist_add_head(&frag_entry_new->list, &chain->head);
chain->size = skb->len - hdr_size;
chain->timestamp = jiffies;
+ chain->total_size = ntohs(frag_packet->total_size);
ret = true;
goto out;
}
@@ -196,9 +197,11 @@
out:
if (chain->size > batadv_frag_size_limit() ||
- ntohs(frag_packet->total_size) > batadv_frag_size_limit()) {
+ chain->total_size != ntohs(frag_packet->total_size) ||
+ chain->total_size > batadv_frag_size_limit()) {
/* Clear chain if total size of either the list or the packet
- * exceeds the maximum size of one merged packet.
+ * exceeds the maximum size of one merged packet. Don't allow
+ * packets to have different total_size.
*/
batadv_frag_clear_chain(&chain->head);
chain->size = 0;
@@ -140,6 +140,7 @@
unsigned long timestamp;
uint16_t seqno;
uint16_t size;
+ uint16_t total_size;
};
/**