From patchwork Tue Oct 11 12:07:26 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Antonio Quartulli <ordex@autistici.org>
X-Patchwork-Id: 1278
Return-Path: <ordex@autistici.org>
Received: from confino.investici.org (investici.nine.ch [217.150.252.179])
	by open-mesh.org (Postfix) with ESMTPS id E4AA06007E4
	for <b.a.t.m.a.n@lists.open-mesh.org>;
	Tue, 11 Oct 2011 14:08:17 +0200 (CEST)
Authentication-Results: open-mesh.org; dkim=pass (1024-bit key)
	header.i=@autistici.org; dkim-adsp=pass
Received: from [217.150.252.179] (confino [217.150.252.179]) (Authenticated
	sender: ordex@autistici.org) by localhost (Postfix) with
	ESMTPSA id 45D6AC864D; Tue, 11 Oct 2011 12:08:17 +0000 (UTC)
X-DKIM: Sendmail DKIM Filter v2.8.2 confino.investici.org 45D6AC864D
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org;
	s=stigmate; t=1318334897;
	bh=GdGk7uL5rm3u5E9hMfF32fW1czaEUzgGiCtc/8Bl7Mk=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References;
	b=UZuMlhhJ8g2pVMw3dlHwLmyphZckRb76ai7QahbkZTV5Jrk99YhGq3sbaeZMOjGal
	FdwpKG6ivpvfjMqlX2iIFqklAAUh7N76C9TQVQTI58v13J9zaTKYYWf1VLx+2y9xhx
	XsS5kornH+GAIUqvyC7IR+EcMiLvmjAAdta2nr7c=
From: Antonio Quartulli <ordex@autistici.org>
To: b.a.t.m.a.n@lists.open-mesh.org
Date: Tue, 11 Oct 2011 14:07:26 +0200
Message-Id: <1318334846-15625-2-git-send-email-ordex@autistici.org>
X-Mailer: git-send-email 1.7.3.4
In-Reply-To: <1318334846-15625-1-git-send-email-ordex@autistici.org>
References: <1318334846-15625-1-git-send-email-ordex@autistici.org>
Subject: [B.A.T.M.A.N.] [PATCH 2/2] batman-adv: check for tt_reponse real
	length
X-BeenThere: b.a.t.m.a.n@lists.open-mesh.org
X-Mailman-Version: 2.1.13
Precedence: list
Reply-To: The list for a Better Approach To Mobile Ad-hoc Networking
	<b.a.t.m.a.n@lists.open-mesh.org>
List-Id: The list for a Better Approach To Mobile Ad-hoc Networking
	<b.a.t.m.a.n.lists.open-mesh.org>
List-Unsubscribe: <https://lists.open-mesh.org/mm/options/b.a.t.m.a.n>,
	<mailto:b.a.t.m.a.n-request@lists.open-mesh.org?subject=unsubscribe>
List-Archive: <http://lists.open-mesh.org/pipermail/b.a.t.m.a.n>
List-Post: <mailto:b.a.t.m.a.n@lists.open-mesh.org>
List-Help: <mailto:b.a.t.m.a.n-request@lists.open-mesh.org?subject=help>
List-Subscribe: <https://lists.open-mesh.org/mm/listinfo/b.a.t.m.a.n>,
	<mailto:b.a.t.m.a.n-request@lists.open-mesh.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Oct 2011 12:08:18 -0000

Before accessing the TT_RESPONSE message payload, we have to ensure that the
real length of the packet reflect the claimed one (contained in
tt_response->tt_data field)

Reported-by: Simon Wunderlich <siwu@hrz.tu-chemnitz.de>
Signed-off-by: Antonio Quartulli <ordex@autistici.org>
---
 routing.c |   12 ++++++++++++
 1 files changed, 12 insertions(+), 0 deletions(-)

diff --git a/routing.c b/routing.c
index 1a5d046..21a68a2 100644
--- a/routing.c
+++ b/routing.c
@@ -578,6 +578,7 @@ int recv_tt_query(struct sk_buff *skb, struct hard_iface *recv_if)
 {
 	struct bat_priv *bat_priv = netdev_priv(recv_if->soft_iface);
 	struct tt_query_packet *tt_query;
+	uint16_t tt_len;
 	struct ethhdr *ethhdr;
 
 	/* drop packet if it has not necessary minimum size */
@@ -621,6 +622,17 @@ int recv_tt_query(struct sk_buff *skb, struct hard_iface *recv_if)
 			if (skb_linearize(skb) < 0)
 				goto out;
 
+			if (tt_query->flags & TT_FULL_TABLE)
+				tt_len = tt_query->tt_data * ETH_ALEN;
+			else
+				tt_len = tt_query->tt_data *
+					 sizeof(struct tt_change);
+
+			/* Ensure we have all the claimed data */
+			if (unlikely(skb->length != sizeof(struct tt_query) +
+						    tt_len))
+				goto out;
+
 			handle_tt_response(bat_priv, tt_query);
 		} else {
 			bat_dbg(DBG_TT, bat_priv,