diff mbox

batman-adv: Ensure that eth_type_trans gets linear memory

Message ID 1290349981-23883-1-git-send-email-sven.eckelmann@gmx.de (mailing list archive)
State Accepted, archived
Headers

Commit Message

Sven Eckelmann Nov. 21, 2010, 2:33 p.m. UTC 
  eth_type_trans tries to pull data with the length of the ethernet header
from the skb. We only ensured that enough data for the first ethernet
header and the batman header is available in non-paged memory of the skb
and not for the ethernet after the batman header.

eth_type_trans would fail sometimes with drivers which don't ensure that
all there data is perfectly linearised.

Reported-by: thorkill <lesniak@sra.uni-hannover.de>
Signed-off-by: Sven Eckelmann <sven.eckelmann@gmx.de>
---
 batman-adv/soft-interface.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

Comments

Marek Lindner Nov. 21, 2010, 11:07 p.m. UTC | #1 
On Sunday 21 November 2010 15:33:01 Sven Eckelmann wrote:
> eth_type_trans tries to pull data with the length of the ethernet header
> from the skb. We only ensured that enough data for the first ethernet
> header and the batman header is available in non-paged memory of the skb
> and not for the ethernet after the batman header.
> 
> eth_type_trans would fail sometimes with drivers which don't ensure that
> all there data is perfectly linearised.

Ok, I went ahead and applied this patch in revision 1874 after some 
discussion. No Intel user needs to suffer if we can avoid it.  ;-)

Thanks,
Marek
diff mbox

Patch

diff --git a/batman-adv/soft-interface.c b/batman-adv/soft-interface.c
index e93a99f..e89ede1 100644
--- a/batman-adv/soft-interface.c
+++ b/batman-adv/soft-interface.c
@@ -494,6 +494,8 @@  void interface_rx(struct net_device *soft_iface,
 	}
 
 	/* skb->dev & skb->pkt_type are set here */
+	if (unlikely(!pskb_may_pull(skb, ETH_HLEN)))
+		goto dropped;
 	skb->protocol = eth_type_trans(skb, soft_iface);
 
 	/* should not be neccesary anymore as we use skb_pull_rcsum()