From patchwork Sun Jun 26 09:16:12 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Sven Eckelmann X-Patchwork-Id: 16396 Return-Path: X-Original-To: patchwork@open-mesh.org Delivered-To: patchwork@open-mesh.org Received: from open-mesh.org (localhost [IPv6:::1]) by open-mesh.org (Postfix) with ESMTP id C9DD281E11; Sun, 26 Jun 2016 11:16:59 +0200 (CEST) Authentication-Results: open-mesh.org; dmarc=none header.from=narfation.org Authentication-Results: open-mesh.org; dkim=fail reason="verification failed; unprotected key" header.d=narfation.org header.i=@narfation.org header.b=YW2MENRW; dkim-adsp=fail (unprotected policy); dkim-atps=neutral Received-SPF: Pass (sender SPF authorized) identity=mailfrom; client-ip=2001:4d88:2000:7::2; helo=v3-1039.vlinux.de; envelope-from=sven@narfation.org; receiver=b.a.t.m.a.n@lists.open-mesh.org Authentication-Results: open-mesh.org; dmarc=pass header.from=narfation.org Received: from v3-1039.vlinux.de (narfation.org [IPv6:2001:4d88:2000:7::2]) by open-mesh.org (Postfix) with ESMTPS id A21F9817A8 for ; Sun, 26 Jun 2016 11:16:32 +0200 (CEST) Received: from sven-desktop.home.narfation.org (p200300C593D02DF90000000000002E16.dip0.t-ipconnect.de [IPv6:2003:c5:93d0:2df9::2e16]) by v3-1039.vlinux.de (Postfix) with ESMTPSA id 294871C8002; Sun, 26 Jun 2016 11:16:32 +0200 (CEST) Authentication-Results: v3-1039.vlinux.de; dmarc=none header.from=narfation.org DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=narfation.org; s=20121; t=1466932592; bh=iqNXE4NWN6eiYN9TWjEMyxznS1THHdUxVilmpOodvpU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YW2MENRWfOsR4hMWa3eocNcl2xbX1IrUOtg+9KLtZHtZUCnukPBsb45/O7h+FTmCC kljuQJxiJ1EOgLvcrxMfctGAreczor8wvEd3y+FWP/6ImWvSsLlb+ASsroQ5DiDbGY SeTCzBHEf/7anFJwAWHzA8sGsKWE1qusTxZrmr9M= From: Sven Eckelmann To: David Miller Date: Sun, 26 Jun 2016 11:16:12 +0200 Message-Id: <1466932573-23105-4-git-send-email-sven@narfation.org> X-Mailer: git-send-email 2.8.1 In-Reply-To: <10049349.EHEiaYmtBd@sven-edge> References: <10049349.EHEiaYmtBd@sven-edge> Cc: netdev@vger.kernel.org, b.a.t.m.a.n@lists.open-mesh.org, Marek Lindner Subject: [B.A.T.M.A.N.] [PATCH net 4/5] batman-adv: Fix ICMP RR ethernet access after skb_linearize X-BeenThere: b.a.t.m.a.n@lists.open-mesh.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: The list for a Better Approach To Mobile Ad-hoc Networking List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: The list for a Better Approach To Mobile Ad-hoc Networking Errors-To: b.a.t.m.a.n-bounces@lists.open-mesh.org Sender: "B.A.T.M.A.N" The skb_linearize may reallocate the skb. This makes the calculated pointer for ethhdr invalid. But it the pointer is used later to fill in the RR field of the batadv_icmp_packet_rr packet. Instead re-evaluate eth_hdr after the skb_linearize+skb_cow to fix the pointer and avoid the invalid read. Fixes: da6b8c20a5b8 ("batman-adv: generalize batman-adv icmp packet handling") Signed-off-by: Sven Eckelmann Signed-off-by: Marek Lindner --- net/batman-adv/routing.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/batman-adv/routing.c b/net/batman-adv/routing.c index e3857ed..6c2901a 100644 --- a/net/batman-adv/routing.c +++ b/net/batman-adv/routing.c @@ -374,6 +374,7 @@ int batadv_recv_icmp_packet(struct sk_buff *skb, if (skb_cow(skb, ETH_HLEN) < 0) goto out; + ethhdr = eth_hdr(skb); icmph = (struct batadv_icmp_header *)skb->data; icmp_packet_rr = (struct batadv_icmp_packet_rr *)icmph; if (icmp_packet_rr->rr_cur >= BATADV_RR_LEN)