From patchwork Wed Nov 7 22:31:54 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Sven Eckelmann X-Patchwork-Id: 17616 X-Patchwork-Delegate: sw@simonwunderlich.de Return-Path: X-Original-To: patchwork@open-mesh.org Delivered-To: patchwork@open-mesh.org Received: from open-mesh.org (localhost [IPv6:::1]) by open-mesh.org (Postfix) with ESMTP id E174D82063; Wed, 7 Nov 2018 23:36:57 +0100 (CET) Authentication-Results: open-mesh.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=narfation.org header.i=@narfation.org header.b="cNKgV0Yh"; dkim-atps=neutral Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2001:4d88:2000:7::2; helo=v3-1039.vlinux.de; envelope-from=sven@narfation.org; receiver= Received: from v3-1039.vlinux.de (narfation.org [IPv6:2001:4d88:2000:7::2]) by open-mesh.org (Postfix) with ESMTPS id 6F96980583 for ; Wed, 7 Nov 2018 23:32:04 +0100 (CET) Received: from sven-desktop.home.narfation.org (p200300C593C7BF00611216DF1E13517C.dip0.t-ipconnect.de [IPv6:2003:c5:93c7:bf00:6112:16df:1e13:517c]) by v3-1039.vlinux.de (Postfix) with ESMTPSA id 7C6A011010B; Wed, 7 Nov 2018 23:32:03 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=narfation.org; s=20121; t=1541629923; bh=i0oNUf8JQCCzoURE38WZYoFg0Ei3vMLY4jcAUfACovs=; h=From:To:Cc:Subject:Date:From; b=cNKgV0Yh49sTWhFv44RaG9cGz6v+6vuDqLBJQeQ7nTgkWKujoSkS2/Vw+i+i4/yUI QnwXnLDiQ7Czj7+WamCctlt3LxF5rS0aF/lQyrEx5h0G/NbICuM9Jks5yn2LBRb5Ak ryb0knWtPP5NvEk07sJAx8Eh/A9HUcEHdQeaAsuA= From: Sven Eckelmann To: b.a.t.m.a.n@lists.open-mesh.org Date: Wed, 7 Nov 2018 23:31:54 +0100 Message-Id: <20181107223154.7843-1-sven@narfation.org> X-Mailer: git-send-email 2.19.1 MIME-Version: 1.0 Subject: [B.A.T.M.A.N.] [PATCH maint] batman-adv: Expand merged fragment buffer for full packet X-BeenThere: b.a.t.m.a.n@lists.open-mesh.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: The list for a Better Approach To Mobile Ad-hoc Networking List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: The list for a Better Approach To Mobile Ad-hoc Networking Errors-To: b.a.t.m.a.n-bounces@lists.open-mesh.org Sender: "B.A.T.M.A.N" The complete size ("total_size") of the fragmented packet is stored in the fragment header and in the size of the fragment chain. When the fragments are ready for merge, the skbuff's tail of the first fragment is expanded to have enough room after the data pointer for at least total_size. This means that it gets expanded by total_size - first_skb->len. But this is ignoring the fact that after expanding the buffer, the fragment header is pulled by from this buffer. Assuming that the tailroom of the buffer was already 0, the buffer after the data pointer of the skbuff is now only total_size - len(fragment_header) large. When the merge function is then processing the remaining fragments, the code to copy the data over to the merged skbuff will cause an skb_over_panic when it tries to actually put enough data to fill the total_size bytes of the packet. The size of the skb_pull must therefore also be taken into account when the buffer's tailroom is expanded. Fixes: 9b3eab61754d ("batman-adv: Receive fragmented packets and merge") Reported-by: Martin Weinelt Co-authored-by: Linus Lüssing Signed-off-by: Sven Eckelmann --- Cc: Martin Weinelt --- net/batman-adv/fragmentation.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c index 0fddc171..5b71a289 100644 --- a/net/batman-adv/fragmentation.c +++ b/net/batman-adv/fragmentation.c @@ -275,7 +275,7 @@ batadv_frag_merge_packets(struct hlist_head *chain) kfree(entry); packet = (struct batadv_frag_packet *)skb_out->data; - size = ntohs(packet->total_size); + size = ntohs(packet->total_size) + hdr_size; /* Make room for the rest of the fragments. */ if (pskb_expand_head(skb_out, 0, size - skb_out->len, GFP_ATOMIC) < 0) {