From patchwork Thu Apr 2 14:23:12 2009 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sven Eckelmann X-Patchwork-Id: 5374 Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by open-mesh.net (8.14.3/8.13.4/Debian-3sarge3) with SMTP id n32EWK6x022646 for ; Thu, 2 Apr 2009 14:32:21 GMT Received: (qmail invoked by alias); 02 Apr 2009 14:23:13 -0000 Received: from i59F6A7F8.versanet.de (EHLO localhost) [89.246.167.248] by mail.gmx.net (mp038) with SMTP; 02 Apr 2009 16:23:13 +0200 X-Authenticated: #15668376 X-Provags-ID: V01U2FsdGVkX1+XZFwOJK+XaGutp2YdCJ+mwUuuWHnHv7a7GabrUG EbOt3QaAXKFRm+ From: Sven Eckelmann To: b.a.t.m.a.n@open-mesh.net Date: Thu, 2 Apr 2009 16:23:12 +0200 Message-Id: <1238682192-25240-1-git-send-email-sven.eckelmann@gmx.de> X-Mailer: git-send-email 1.6.2.1 X-Y-GMX-Trusted: 0 X-FuHaFi: 0.6 Subject: [B.A.T.M.A.N.] [PATCH] Don't access random memory after forwarding broadcast X-BeenThere: b.a.t.m.a.n@open-mesh.net X-Mailman-Version: 2.1.11 Precedence: list Reply-To: The list for a Better Approach To Mobile Ad-hoc Networking List-Id: The list for a Better Approach To Mobile Ad-hoc Networking List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Apr 2009 14:32:21 -0000 B.A.T.M.A.N. advanced iterates over every known interface when receiving data and tries to forward as much as possible data from the same interface as possible using a while-loop inside the outer loop. When it receives a broadcast ethernet frame which needs to be forwarded again it will try to send it to every known interface again. This loop is inside the first one and used the same pos variable as the outer loop. After the inner loop has finished it will point to a memory location which is not part of the interface list, but the while loop starts again and tries to access this memory region without knowing what it is and to what it belongs. This could lead to a kernel oops or any kind of other unspecified behavior of the kernel. The inner loop should use a seperate position variable to iterate over all interfaces for the broadcast. Signed-off-by: Sven Eckelmann --- batman-adv-kernelland/routing.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diff --git a/batman-adv-kernelland/routing.c b/batman-adv-kernelland/routing.c index 73e786e..89bfb3f 100644 --- a/batman-adv-kernelland/routing.c +++ b/batman-adv-kernelland/routing.c @@ -567,7 +567,7 @@ int receive_raw_packet(struct socket *raw_sock, unsigned char *packet_buff, int int packet_recv_thread(void *data) { - struct batman_if *batman_if; + struct batman_if *batman_if, *batman_bcastif; struct ethhdr *ethhdr; struct batman_packet *batman_packet; struct unicast_packet *unicast_packet; @@ -851,8 +851,8 @@ int packet_recv_thread(void *data) interface_rx(soft_device, packet_buff + sizeof(struct ethhdr) + sizeof(struct bcast_packet), result - sizeof(struct ethhdr) - sizeof(struct bcast_packet)); /* rebroadcast packet */ - list_for_each_entry_rcu(batman_if, &if_list, list) { - send_raw_packet(packet_buff + sizeof(struct ethhdr), result - sizeof(struct ethhdr), batman_if->net_dev->dev_addr, broadcastAddr, batman_if); + list_for_each_entry_rcu(batman_bcastif, &if_list, list) { + send_raw_packet(packet_buff + sizeof(struct ethhdr), result - sizeof(struct ethhdr), batman_bcastif->net_dev->dev_addr, broadcastAddr, batman_bcastif); } break;