From patchwork Wed May  9 11:12:43 2012
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Antonio Quartulli <ordex@autistici.org>
X-Patchwork-Id: 1845
Return-Path: <ordex@autistici.org>
Received: from confino.investici.org (investici.nine.ch [217.150.252.179])
	by open-mesh.org (Postfix) with ESMTPS id 9A1BD6007F1
	for <b.a.t.m.a.n@lists.open-mesh.org>;
	Wed,  9 May 2012 13:12:33 +0200 (CEST)
Authentication-Results: open-mesh.org; dkim=pass (1024-bit key)
	header.i=@autistici.org; dkim-adsp=pass
Received: from [217.150.252.179] (confino [217.150.252.179]) (Authenticated
	sender: ordex@autistici.org) by localhost (Postfix) with
	ESMTPSA id 55E1BC86D3; Wed,  9 May 2012 11:12:32 +0000 (UTC)
X-DKIM: Sendmail DKIM Filter v2.8.2 confino.investici.org 55E1BC86D3
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org;
	s=stigmate; t=1336561952;
	bh=fwXYUyl9C/VGaiAX/8hPqIAf+sxqBwivMjRxl61q/pQ=;
	h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References;
	b=W+cYnV5DKmX7S6jFU1jawtvDpz0FhC+Kn8Dlm0ViCf+gjMt9JWj0FXnkJ9MMyG5ow
	edSStHLbiMKWFdVRJhwh8ZqMhVfCye9B9puiLEAC+7Vw+E73fnqHQA6cEmyST9bQKB
	5epCP4BGEQSvIXGyBS+F8wtq/Kizc+gYwtB2ZNrs=
From: Antonio Quartulli <ordex@autistici.org>
To: davem@davemloft.net
Date: Wed,  9 May 2012 13:12:43 +0200
Message-Id: <1336561976-16088-2-git-send-email-ordex@autistici.org>
X-Mailer: git-send-email 1.7.9.4
In-Reply-To: <1336561976-16088-1-git-send-email-ordex@autistici.org>
References: <1336561976-16088-1-git-send-email-ordex@autistici.org>
Cc: netdev@vger.kernel.org, b.a.t.m.a.n@lists.open-mesh.org
Subject: [B.A.T.M.A.N.] [PATCH 01/14] batman-adv: fix wrong dhcp option list
	browsing
X-BeenThere: b.a.t.m.a.n@lists.open-mesh.org
X-Mailman-Version: 2.1.13
Precedence: list
Reply-To: The list for a Better Approach To Mobile Ad-hoc Networking
	<b.a.t.m.a.n@lists.open-mesh.org>
List-Id: The list for a Better Approach To Mobile Ad-hoc Networking
	<b.a.t.m.a.n.lists.open-mesh.org>
List-Unsubscribe: <https://lists.open-mesh.org/mm/options/b.a.t.m.a.n>,
	<mailto:b.a.t.m.a.n-request@lists.open-mesh.org?subject=unsubscribe>
List-Archive: <http://lists.open-mesh.org/pipermail/b.a.t.m.a.n>
List-Post: <mailto:b.a.t.m.a.n@lists.open-mesh.org>
List-Help: <mailto:b.a.t.m.a.n-request@lists.open-mesh.org?subject=help>
List-Subscribe: <https://lists.open-mesh.org/mm/listinfo/b.a.t.m.a.n>,
	<mailto:b.a.t.m.a.n-request@lists.open-mesh.org?subject=subscribe>
X-List-Received-Date: Wed, 09 May 2012 11:12:33 -0000

In is_type_dhcprequest(), while parsing a DHCP message, if the entry we found in
the option list is neither a padding nor the dhcp-type, we have to ignore it and
jump as many bytes as its length + 1. The "+ 1" byte is given by the subtype
field itself that has to be jumped too.

Reported-by: Marek Lindner <lindner_marek@yahoo.de>
Signed-off-by: Antonio Quartulli <ordex@autistici.org>
---
 net/batman-adv/gateway_client.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c
index 6f9b9b7..47f7186 100644
--- a/net/batman-adv/gateway_client.c
+++ b/net/batman-adv/gateway_client.c
@@ -558,10 +558,10 @@ static bool is_type_dhcprequest(struct sk_buff *skb, int header_len)
 			p++;
 
 			/* ...and then we jump over the data */
-			if (pkt_len < *p)
+			if (pkt_len < 1 + (*p))
 				goto out;
-			pkt_len -= *p;
-			p += (*p);
+			pkt_len -= 1 + (*p);
+			p += 1 + (*p);
 		}
 	}
 out: