From patchwork Wed Oct 12 13:10:58 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Antonio Quartulli <ordex@autistici.org>
X-Patchwork-Id: 1298
Return-Path: <ordex@autistici.org>
Received: from contumacia.investici.org (contumacia.investici.org
	[178.255.144.35])
	by open-mesh.org (Postfix) with ESMTPS id E54EA600802
	for <b.a.t.m.a.n@lists.open-mesh.org>;
	Wed, 12 Oct 2011 15:11:50 +0200 (CEST)
Authentication-Results: open-mesh.org; dkim=pass (1024-bit key)
	header.i=@autistici.org; dkim-adsp=pass
Received: from [178.255.144.35] (contumacia [178.255.144.35]) (Authenticated
	sender: ordex@autistici.org) by localhost (Postfix) with
	ESMTPSA id 10731E84A7; Wed, 12 Oct 2011 13:11:49 +0000 (UTC)
X-DKIM: Sendmail DKIM Filter v2.8.2 contumacia.investici.org 10731E84A7
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org;
	s=stigmate; t=1318425109;
	bh=v/oGyYp0G9kO+KQ8VNqVSqLv0wtn0dmg5Esh++WaHxQ=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References;
	b=JcxhU6aQuQlH5JnoW5n9zGxTVTx//fV//OQNfDkpvTwHnhu36q5bM0nXUrihOeCdX
	h36pqHznzkCZft7wT74wlZiKEbZjT/xRPOykVOxVkAwv9hVnH7S8osCNoox9g/suhk
	4lm9OYBtrY7FXvXDx+NpTMBMJojRAVDi9geL9yVw=
From: Antonio Quartulli <ordex@autistici.org>
To: b.a.t.m.a.n@lists.open-mesh.org
Date: Wed, 12 Oct 2011 15:10:58 +0200
Message-Id: <1318425058-715-2-git-send-email-ordex@autistici.org>
X-Mailer: git-send-email 1.7.3.4
In-Reply-To: <1318425058-715-1-git-send-email-ordex@autistici.org>
References: <1318425058-715-1-git-send-email-ordex@autistici.org>
Subject: [B.A.T.M.A.N.] [PATCHv2 2/2] batman-adv: check for tt_reponse real
	length
X-BeenThere: b.a.t.m.a.n@lists.open-mesh.org
X-Mailman-Version: 2.1.13
Precedence: list
Reply-To: The list for a Better Approach To Mobile Ad-hoc Networking
	<b.a.t.m.a.n@lists.open-mesh.org>
List-Id: The list for a Better Approach To Mobile Ad-hoc Networking
	<b.a.t.m.a.n.lists.open-mesh.org>
List-Unsubscribe: <https://lists.open-mesh.org/mm/options/b.a.t.m.a.n>,
	<mailto:b.a.t.m.a.n-request@lists.open-mesh.org?subject=unsubscribe>
List-Archive: <http://lists.open-mesh.org/pipermail/b.a.t.m.a.n>
List-Post: <mailto:b.a.t.m.a.n@lists.open-mesh.org>
List-Help: <mailto:b.a.t.m.a.n-request@lists.open-mesh.org?subject=help>
List-Subscribe: <https://lists.open-mesh.org/mm/listinfo/b.a.t.m.a.n>,
	<mailto:b.a.t.m.a.n-request@lists.open-mesh.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Oct 2011 13:11:51 -0000

Before accessing the TT_RESPONSE message payload, we have to ensure that the
real length of the packet reflect the claimed one (contained in
tt_response->tt_data field)

Reported-by: Simon Wunderlich <siwu@hrz.tu-chemnitz.de>
Signed-off-by: Antonio Quartulli <ordex@autistici.org>
---

corrected skb length check

 routing.c |   13 +++++++++++++
 1 files changed, 13 insertions(+), 0 deletions(-)

diff --git a/routing.c b/routing.c
index 20804f4..af55cf7 100644
--- a/routing.c
+++ b/routing.c
@@ -578,6 +578,7 @@ int recv_tt_query(struct sk_buff *skb, struct hard_iface *recv_if)
 {
 	struct bat_priv *bat_priv = netdev_priv(recv_if->soft_iface);
 	struct tt_query_packet *tt_query;
+	uint16_t tt_len;
 	struct ethhdr *ethhdr;
 
 	/* drop packet if it has not necessary minimum size */
@@ -622,6 +623,18 @@ int recv_tt_query(struct sk_buff *skb, struct hard_iface *recv_if)
 			if (skb_linearize(skb) < 0)
 				goto out;
 
+			if (tt_query->flags & TT_FULL_TABLE)
+				tt_len = tt_query->tt_data * ETH_ALEN;
+			else
+				tt_len = tt_query->tt_data *
+					 sizeof(struct tt_change);
+
+			/* Ensure we have all the claimed data */
+			if (unlikely(skb_headlen(skb) <
+					sizeof(struct tt_query_packet) +
+					tt_len))
+				goto out;
+
 			handle_tt_response(bat_priv, tt_query);
 		} else {
 			bat_dbg(DBG_TT, bat_priv,