From patchwork Fri May 7 19:47:27 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Andrew Lunn X-Patchwork-Id: 103 Return-Path: Received: from londo.lunn.ch (londo.lunn.ch [80.238.139.98]) by open-mesh.net (Postfix) with ESMTP id 587BD1545AB for ; Fri, 7 May 2010 21:51:12 +0200 (CEST) Received: from lunn by londo.lunn.ch with local (Exim 3.36 #1 (Debian)) id 1OATWK-0005b1-00; Fri, 07 May 2010 21:47:36 +0200 From: Andrew Lunn To: greg@kroah.com Date: Fri, 7 May 2010 21:47:27 +0200 Message-Id: <1273261651-21378-23-git-send-email-andrew@lunn.ch> X-Mailer: git-send-email 1.7.1 In-Reply-To: <1273261651-21378-1-git-send-email-andrew@lunn.ch> References: <1273261651-21378-1-git-send-email-andrew@lunn.ch> Sender: Andrew Lunn Cc: Marek Lindner , b.a.t.m.a.n@lists.open-mesh.net Subject: [B.A.T.M.A.N.] [PATCH 22/26] Staging: batman-adv: Update pointer to ethhdr after skb_copy X-BeenThere: b.a.t.m.a.n@lists.open-mesh.org X-Mailman-Version: 2.1.11 Precedence: list Reply-To: The list for a Better Approach To Mobile Ad-hoc Networking List-Id: The list for a Better Approach To Mobile Ad-hoc Networking List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 07 May 2010 19:51:12 -0000 From: Sven Eckelmann We must ensure that all pointer to a socket buffer are updated when we copy a socket buffer and free our reference to the old one. Another part of the kernel could also free its reference which maybe removes the buffer completely. In that situation we would would feed wrong information to the routing algorithm after the memory area is written again by someone else. Signed-off-by: Sven Eckelmann Signed-off-by: Marek Lindner Signed-off-by: Andrew Lunn --- drivers/staging/batman-adv/routing.c | 18 ++++++++++++------ 1 files changed, 12 insertions(+), 6 deletions(-) diff --git a/drivers/staging/batman-adv/routing.c b/drivers/staging/batman-adv/routing.c index bf67059..919a4f8 100644 --- a/drivers/staging/batman-adv/routing.c +++ b/drivers/staging/batman-adv/routing.c @@ -614,6 +614,7 @@ int recv_bat_packet(struct sk_buff *skb, skb = skb_copy(skb, GFP_ATOMIC); if (!skb) return NET_RX_DROP; + ethhdr = (struct ethhdr *)skb_mac_header(skb); kfree_skb(skb_old); } @@ -639,8 +640,8 @@ static int recv_my_icmp_packet(struct sk_buff *skb) unsigned long flags; uint8_t dstaddr[ETH_ALEN]; - icmp_packet = (struct icmp_packet *) skb->data; - ethhdr = (struct ethhdr *) skb_mac_header(skb); + icmp_packet = (struct icmp_packet *)skb->data; + ethhdr = (struct ethhdr *)skb_mac_header(skb); /* add data to device queue */ if (icmp_packet->msg_type != ECHO_REQUEST) { @@ -671,7 +672,9 @@ static int recv_my_icmp_packet(struct sk_buff *skb) skb = skb_copy(skb, GFP_ATOMIC); if (!skb) return NET_RX_DROP; - icmp_packet = (struct icmp_packet *) skb->data; + + icmp_packet = (struct icmp_packet *)skb->data; + ethhdr = (struct ethhdr *)skb_mac_header(skb); kfree_skb(skb_old); } @@ -732,6 +735,7 @@ static int recv_icmp_ttl_exceeded(struct sk_buff *skb) if (!skb) return NET_RX_DROP; icmp_packet = (struct icmp_packet *) skb->data; + ethhdr = (struct ethhdr *)skb_mac_header(skb); kfree_skb(skb_old); } @@ -780,7 +784,7 @@ int recv_icmp_packet(struct sk_buff *skb) if (!is_my_mac(ethhdr->h_dest)) return NET_RX_DROP; - icmp_packet = (struct icmp_packet *) skb->data; + icmp_packet = (struct icmp_packet *)skb->data; /* packet for me */ if (is_my_mac(icmp_packet->dst)) @@ -812,7 +816,8 @@ int recv_icmp_packet(struct sk_buff *skb) skb = skb_copy(skb, GFP_ATOMIC); if (!skb) return NET_RX_DROP; - icmp_packet = (struct icmp_packet *) skb->data; + icmp_packet = (struct icmp_packet *)skb->data; + ethhdr = (struct ethhdr *)skb_mac_header(skb); kfree_skb(skb_old); } @@ -895,7 +900,8 @@ int recv_unicast_packet(struct sk_buff *skb) skb = skb_copy(skb, GFP_ATOMIC); if (!skb) return NET_RX_DROP; - unicast_packet = (struct unicast_packet *) skb->data; + unicast_packet = (struct unicast_packet *)skb->data; + ethhdr = (struct ethhdr *)skb_mac_header(skb); kfree_skb(skb_old); } /* decrement ttl */