batman-adv: fix memory access by setting mac_header in DAT
Commit Message
In the TX path we now have functions that rely on the
skb->mac_header field. DAT does not set such field when
creating its own ARP packets thus leading to wrong memory
access.
Fix it by always setting the mac_header after having forged
the ARP packet.
Reported-by: Russel Senior <russell@personaltelco.net>
Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
Tested-by: Russel Senior <russell@personaltelco.net>
---
distributed-arp-table.c | 5 +++++
1 file changed, 5 insertions(+)
Comments
On 11/02/14 11:26, Antonio Quartulli wrote:
> In the TX path we now have functions that rely on the
> skb->mac_header field. DAT does not set such field when
> creating its own ARP packets thus leading to wrong memory
> access.
>
> Fix it by always setting the mac_header after having forged
> the ARP packet.
>
> Reported-by: Russel Senior <russell@personaltelco.net>
> Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
> Tested-by: Russel Senior <russell@personaltelco.net>
This patch is supposed to be applied on maint.
Cheers,
On 11/02/14 11:35, Antonio Quartulli wrote:
> On 11/02/14 11:26, Antonio Quartulli wrote:
>> In the TX path we now have functions that rely on the
>> skb->mac_header field. DAT does not set such field when
>> creating its own ARP packets thus leading to wrong memory
>> access.
>>
>> Fix it by always setting the mac_header after having forged
>> the ARP packet.
>>
>> Reported-by: Russel Senior <russell@personaltelco.net>
>> Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
>> Tested-by: Russel Senior <russell@personaltelco.net>
>
> This patch is supposed to be applied on maint.
Introduced by 41b38727749a94c1a65cf0f4be9bfe1cbaf0adeb
("batman-adv: fix potential kernel paging error for unicast transmissions")
In this patch we have the introduction of eth_hdr() in
batadv_send_skb_unicast() which creates the problem..
Cheers,
On Tuesday 11 February 2014 11:58:26 Antonio Quartulli wrote:
> On 11/02/14 11:35, Antonio Quartulli wrote:
> > On 11/02/14 11:26, Antonio Quartulli wrote:
> >> In the TX path we now have functions that rely on the
> >> skb->mac_header field. DAT does not set such field when
> >> creating its own ARP packets thus leading to wrong memory
> >> access.
> >>
> >> Fix it by always setting the mac_header after having forged
> >> the ARP packet.
> >>
> >> Reported-by: Russel Senior <russell@personaltelco.net>
> >> Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
> >> Tested-by: Russel Senior <russell@personaltelco.net>
> >
> >
> >
> > This patch is supposed to be applied on maint.
>
> Introduced by 41b38727749a94c1a65cf0f4be9bfe1cbaf0adeb
> ("batman-adv: fix potential kernel paging error for unicast transmissions")
Applied in revision df99b07.
Thanks,
Marek
@@ -1028,6 +1028,11 @@ bool batadv_dat_snoop_incoming_arp_request(struct batadv_priv *bat_priv,
if (!skb_new)
goto out;
+ /* the rest of the TX path assumes that the mac_header offset pointing
+ * to the inner Ethernet header has been set, therefore reset it now.
+ */
+ skb_reset_mac_header(skb_new);
+
if (vid & BATADV_VLAN_HAS_TAG)
skb_new = vlan_insert_tag(skb_new, htons(ETH_P_8021Q),
vid & VLAN_VID_MASK);