From patchwork Sat Nov 26 14:26:51 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Marek Lindner X-Patchwork-Id: 1402 Return-Path: Received: from nm22-vm0.bullet.mail.ukl.yahoo.com (nm22-vm0.bullet.mail.ukl.yahoo.com [217.12.10.74]) by open-mesh.org (Postfix) with SMTP id 15C5760087E for ; Sat, 26 Nov 2011 15:30:36 +0100 (CET) Authentication-Results: open-mesh.org; dkim=pass (1024-bit key) header.i=@yahoo.de; dkim-adsp=none Received: from [217.146.183.212] by nm22.bullet.mail.ukl.yahoo.com with NNFMP; 26 Nov 2011 14:30:35 -0000 Received: from [77.238.184.54] by tm5.bullet.mail.ukl.yahoo.com with NNFMP; 26 Nov 2011 14:30:35 -0000 Received: from [127.0.0.1] by smtp123.mail.ukl.yahoo.com with NNFMP; 26 Nov 2011 14:30:35 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.de; s=s1024; t=1322317835; bh=xSXbeWuAz7Ou1QFJ7hEdU3dg54c6ZMLLvKOLusVAPKk=; h=X-Yahoo-Newman-Id:X-Yahoo-Newman-Property:X-YMail-OSG:X-Yahoo-SMTP:Received:From:To:Cc:Subject:Date:Message-Id:X-Mailer:In-Reply-To:References; b=Q6ofO+0jIfX3FPcgSImPx2hnJr38royEKMODX4TMW6+BOKUDdkD0RIlbsbWHkXyybEVQi2HGHwLWnLeyzSYsLaTHyYJ3F39He6PtneuCw7tTbLwojwj0HeDO2Nbu5JLRrSF1vFDJsrArg6Csg2J6leGt00pQT3ClYQEZOYw85eU= X-Yahoo-Newman-Id: 754601.62113.bm@smtp123.mail.ukl.yahoo.com X-Yahoo-Newman-Property: ymail-3 X-YMail-OSG: 3t1ywskVM1mKF2eLPF.lCbGKvkyKEIQ8X3HTykPAdkWIaZX V41Nn91LvC9M0F4m0ufLt6EKtMpkFQLq7H5TOuC6x8RKj6NzDiJL.2pcLSK1 7MZNEJ.5ttny2.zFiX9oOTsfwL4YqORG7lfuf1RD3lpsV3iGk0_UpkSTbz8Q 0zWBKzJ3yVJseOyfukIu5IDON3D0SMh_K1pjG8PifB4r5ter66qwOohx1OBc qzok_HC8ANX_v4PQ2GAqX0RD7U51foegyLgKgTWeyW4yRo6uyWeloa1vxulP 8JIKxX5FYjE75mX9zl4Xu92HKjvrt5bFLIYZLWy7McBTk7887orfYaIu7iNY OnQulQyJmMS2boz5ahaKYYRrPRndsFmduL1s5tPY8TQ6ZDGoIfNWfVg-- X-Yahoo-SMTP: tW.h3tiswBBMXO2coYcbPigGD5Lt6zY_.Zc- Received: from localhost (lindner_marek@210.177.7.38 with plain) by smtp123.mail.ukl.yahoo.com with SMTP; 26 Nov 2011 14:30:33 +0000 GMT From: Marek Lindner To: davem@davemloft.net Date: Sat, 26 Nov 2011 22:26:51 +0800 Message-Id: <1322317612-7770-10-git-send-email-lindner_marek@yahoo.de> X-Mailer: git-send-email 1.7.5.4 In-Reply-To: <1322317612-7770-1-git-send-email-lindner_marek@yahoo.de> References: <1322317612-7770-1-git-send-email-lindner_marek@yahoo.de> Cc: netdev@vger.kernel.org, b.a.t.m.a.n@lists.open-mesh.org Subject: [B.A.T.M.A.N.] [PATCH 09/10] batman-adv: check for tt_reponse packet real length X-BeenThere: b.a.t.m.a.n@lists.open-mesh.org X-Mailman-Version: 2.1.13 Precedence: list Reply-To: The list for a Better Approach To Mobile Ad-hoc Networking List-Id: The list for a Better Approach To Mobile Ad-hoc Networking List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Nov 2011 14:30:36 -0000 From: Antonio Quartulli Before accessing the TT_RESPONSE packet payload, the node has to ensure that the packet is long enough as it would expect to be. Reported-by: Simon Wunderlich Signed-off-by: Antonio Quartulli Signed-off-by: Sven Eckelmann --- net/batman-adv/routing.c | 9 +++++++++ 1 files changed, 9 insertions(+), 0 deletions(-) diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c index e0e7b7b..ef24a72 100644 --- a/net/batman-adv/routing.c +++ b/net/batman-adv/routing.c @@ -578,6 +578,7 @@ int recv_tt_query(struct sk_buff *skb, struct hard_iface *recv_if) { struct bat_priv *bat_priv = netdev_priv(recv_if->soft_iface); struct tt_query_packet *tt_query; + uint16_t tt_len; struct ethhdr *ethhdr; /* drop packet if it has not necessary minimum size */ @@ -622,6 +623,14 @@ int recv_tt_query(struct sk_buff *skb, struct hard_iface *recv_if) if (skb_linearize(skb) < 0) goto out; + tt_len = tt_query->tt_data * sizeof(struct tt_change); + + /* Ensure we have all the claimed data */ + if (unlikely(skb_headlen(skb) < + sizeof(struct tt_query_packet) + + tt_len)) + goto out; + handle_tt_response(bat_priv, tt_query); } else { bat_dbg(DBG_TT, bat_priv,