From patchwork Sun Oct 16 18:32:03 2011
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Antonio Quartulli <ordex@autistici.org>
X-Patchwork-Id: 1277
Return-Path: <ordex@autistici.org>
Received: from confino.investici.org (investici.nine.ch [217.150.252.179])
	by open-mesh.org (Postfix) with ESMTPS id 907106007C4
	for <b.a.t.m.a.n@lists.open-mesh.org>;
	Sun, 16 Oct 2011 20:33:06 +0200 (CEST)
Authentication-Results: open-mesh.org; dkim=pass (1024-bit key)
	header.i=@autistici.org; dkim-adsp=pass
Received: from [217.150.252.179] (confino [217.150.252.179]) (Authenticated
	sender: ordex@autistici.org) by localhost (Postfix) with
	ESMTPSA id E7B95C8646; Sun, 16 Oct 2011 18:33:05 +0000 (UTC)
X-DKIM: Sendmail DKIM Filter v2.8.2 confino.investici.org E7B95C8646
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org;
	s=stigmate; t=1318789986;
	bh=E5ZW+eCB5vhhqPtdweFpRZe3mQi1lVmJXKK/8XVXOnE=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References;
	b=P0toScVRsgdKgp5wo7lYBZ4WXcRGryH1nIxC2L87QAvegeSgoSOuvfojOhapan3vw
	cnL2um4RXdMy3ynzEmzieZ0aAmacLH+2kBbA8IePUyaoc/WwJkpxvETSvJEMVemPQ/
	6OdJPDdh8Jgep3m3KEwNCLJfy69ZsXLPzmR6uVRA=
From: Antonio Quartulli <ordex@autistici.org>
To: b.a.t.m.a.n@lists.open-mesh.org
Date: Sun, 16 Oct 2011 20:32:03 +0200
Message-Id: <1318789923-29405-2-git-send-email-ordex@autistici.org>
X-Mailer: git-send-email 1.7.3.4
In-Reply-To: <1318789923-29405-1-git-send-email-ordex@autistici.org>
References: <1318789923-29405-1-git-send-email-ordex@autistici.org>
Subject: [B.A.T.M.A.N.] [PATCHv3 2/3] batman-adv: check for tt_reponse
	packet real length
X-BeenThere: b.a.t.m.a.n@lists.open-mesh.org
X-Mailman-Version: 2.1.13
Precedence: list
Reply-To: The list for a Better Approach To Mobile Ad-hoc Networking
	<b.a.t.m.a.n@lists.open-mesh.org>
List-Id: The list for a Better Approach To Mobile Ad-hoc Networking
	<b.a.t.m.a.n.lists.open-mesh.org>
List-Unsubscribe: <https://lists.open-mesh.org/mm/options/b.a.t.m.a.n>,
	<mailto:b.a.t.m.a.n-request@lists.open-mesh.org?subject=unsubscribe>
List-Archive: <http://lists.open-mesh.org/pipermail/b.a.t.m.a.n>
List-Post: <mailto:b.a.t.m.a.n@lists.open-mesh.org>
List-Help: <mailto:b.a.t.m.a.n-request@lists.open-mesh.org?subject=help>
List-Subscribe: <https://lists.open-mesh.org/mm/listinfo/b.a.t.m.a.n>,
	<mailto:b.a.t.m.a.n-request@lists.open-mesh.org?subject=subscribe>
X-List-Received-Date: Sun, 16 Oct 2011 18:33:06 -0000

Before accessing the TT_RESPONSE packet payload, the node has to ensure that the
packet is long enough as it would expect to be.

Reported-by: Simon Wunderlich <siwu@hrz.tu-chemnitz.de>
Signed-off-by: Antonio Quartulli <ordex@autistici.org>
---
 routing.c |    9 +++++++++
 1 files changed, 9 insertions(+), 0 deletions(-)

diff --git a/routing.c b/routing.c
index e0e7b7b..ef24a72 100644
--- a/routing.c
+++ b/routing.c
@@ -578,6 +578,7 @@ int recv_tt_query(struct sk_buff *skb, struct hard_iface *recv_if)
 {
 	struct bat_priv *bat_priv = netdev_priv(recv_if->soft_iface);
 	struct tt_query_packet *tt_query;
+	uint16_t tt_len;
 	struct ethhdr *ethhdr;
 
 	/* drop packet if it has not necessary minimum size */
@@ -622,6 +623,14 @@ int recv_tt_query(struct sk_buff *skb, struct hard_iface *recv_if)
 			if (skb_linearize(skb) < 0)
 				goto out;
 
+			tt_len = tt_query->tt_data * sizeof(struct tt_change);
+
+			/* Ensure we have all the claimed data */
+			if (unlikely(skb_headlen(skb) <
+					sizeof(struct tt_query_packet) +
+					tt_len))
+				goto out;
+
 			handle_tt_response(bat_priv, tt_query);
 		} else {
 			bat_dbg(DBG_TT, bat_priv,