diff mbox

[maint] batman-adv: Fix double neigh_node_put in batadv_v_ogm_route_update

Message ID 1656407.PytZZyZNAi@sven-edge (mailing list archive)
State Not Applicable, archived
Headers

Commit Message

Sven Eckelmann May 7, 2016, 7:03 a.m. UTC 
  On Friday 06 May 2016 22:27:09 Sven Eckelmann wrote:
> The router is put down twice when it was non-NULL and either orig_ifinfo is
> NULL afterwards or batman-adv receives a packet with the same sequence
> number. This will end up in a use-after-free when the batadv_neigh_node is
> removed because the reference counter ended up too early at 0.
> 
> Fixes: 667996ebeab4 ("batman-adv: OGMv2 - implement originators logic")
> Signed-off-by: Sven Eckelmann <sven@narfation.org>
[...]

There is a conflict with master. I hope that Antonio can share how it can be
resolved when he submits following remaining fixes to David:

 * batman-adv: Fix integer overflow in batadv_iv_ogm_calc_tq
 * batman-adv: Avoid duplicate neigh_node additions
 * batman-adv: make sure ELP/OGM orig MAC is updated on address change
 * batman-adv: Fix unexpected free of bcast_own on add_if error
 * batman-adv: Avoid nullptr derefence in batadv_v_neigh_is_sob
 * batman-adv: Fix refcnt leak in batadv_v_neigh_*
 * batman-adv: Fix double neigh_node_put in batadv_v_ogm_route_update

The solution for the merge conflict with master is:

Comments

Antonio Quartulli May 7, 2016, 9:15 a.m. UTC | #1 
On Sat, May 07, 2016 at 09:03:13AM +0200, Sven Eckelmann wrote:
> On Friday 06 May 2016 22:27:09 Sven Eckelmann wrote:
> > The router is put down twice when it was non-NULL and either orig_ifinfo is
> > NULL afterwards or batman-adv receives a packet with the same sequence
> > number. This will end up in a use-after-free when the batadv_neigh_node is
> > removed because the reference counter ended up too early at 0.
> > 
> > Fixes: 667996ebeab4 ("batman-adv: OGMv2 - implement originators logic")
> > Signed-off-by: Sven Eckelmann <sven@narfation.org>
> [...]
> 
> There is a conflict with master. I hope that Antonio can share how it can be
> resolved when he submits following remaining fixes to David:
> 
>  * batman-adv: Fix integer overflow in batadv_iv_ogm_calc_tq
>  * batman-adv: Avoid duplicate neigh_node additions
>  * batman-adv: make sure ELP/OGM orig MAC is updated on address change
>  * batman-adv: Fix unexpected free of bcast_own on add_if error
>  * batman-adv: Avoid nullptr derefence in batadv_v_neigh_is_sob
>  * batman-adv: Fix refcnt leak in batadv_v_neigh_*
>  * batman-adv: Fix double neigh_node_put in batadv_v_ogm_route_update
> 
> The solution for the merge conflict with master is:
> 
> --- a/net/batman-adv/bat_v_ogm.c
> +++ b/net/batman-adv/bat_v_ogm.c
> @@ -510,17 +510,10 @@
>                 goto out;
>         }
>  
> -<<<<<<<
>         /* Mark the OGM to be considered for forwarding, and update routes
>          * if needed.
>          */
>         forward = true;
> -=======
> -       if (router) {
> -               batadv_neigh_node_put(router);
> -               router = NULL;
> -       }
> ->>>>>>>
>  
>         batadv_dbg(BATADV_DBG_BATMAN, bat_priv,
>                    "Searching and updating originator entry of received packet\n");

Thanks a lot for this.

Cheers,
diff mbox

Patch

--- a/net/batman-adv/bat_v_ogm.c
+++ b/net/batman-adv/bat_v_ogm.c
@@ -510,17 +510,10 @@ 
                goto out;
        }
 
-<<<<<<<
        /* Mark the OGM to be considered for forwarding, and update routes
         * if needed.
         */
        forward = true;
-=======
-       if (router) {
-               batadv_neigh_node_put(router);
-               router = NULL;
-       }
->>>>>>>
 
        batadv_dbg(BATADV_DBG_BATMAN, bat_priv,
                   "Searching and updating originator entry of received packet\n");