All of lore.kernel.org
 help / color / mirror / Atom feed
* pull request [net]: 20160107
@ 2016-01-07  7:26 ` Antonio Quartulli
  0 siblings, 0 replies; 8+ messages in thread
From: Antonio Quartulli @ 2016-01-07  7:26 UTC (permalink / raw)
  To: davem; +Cc: netdev, b.a.t.m.a.n

Hello David,

I know it is extremely late in the release cycle, but please accept this
single (and small) change intended for net.

This bug-fix provided by Sven Eckelmann prevents a wrong memory access
in setups with multiple interfaces enslaved in batman-adv (very common
nowadays).

When such bad access is performed the code ends up filling with random
data an internal data structure used to compute the links metric, thus
leading to undefined behaviours.


This bug is there since ever, therefore it would be really nice if could
get it queued for inclusion in stable.


Please pull or let me know of any problem!
Thanks a lot,
	Antonio


The following changes since commit 51cb67c0b0fcb91581b15bd2e85f29af4d4b2df6:

  Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net (2016-01-06 16:15:03 -0800)

are available in the git repository at:

  git://git.open-mesh.org/linux-merge.git tags/batman-adv-fix-for-davem

for you to fetch changes up to 13bbdd370f67aef3351ad7bbc2fb624e3c23f905:

  batman-adv: Fix invalid read while copying bat_iv.bcast_own (2016-01-07 14:24:05 +0800)

----------------------------------------------------------------
Included change:
- Fix invalid read while copying bat_iv.bcast_own by Sven Eckelmann

----------------------------------------------------------------
Sven Eckelmann (1):
      batman-adv: Fix invalid read while copying bat_iv.bcast_own

 net/batman-adv/bat_iv_ogm.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

^ permalink raw reply	[flat|nested] 8+ messages in thread
* [B.A.T.M.A.N.] pull request [net]: 20160107
@ 2016-01-07  7:26 ` Antonio Quartulli
  0 siblings, 0 replies; 8+ messages in thread
From: Antonio Quartulli @ 2016-01-07  7:26 UTC (permalink / raw)
  To: davem; +Cc: netdev, b.a.t.m.a.n

Hello David,

I know it is extremely late in the release cycle, but please accept this
single (and small) change intended for net.

This bug-fix provided by Sven Eckelmann prevents a wrong memory access
in setups with multiple interfaces enslaved in batman-adv (very common
nowadays).

When such bad access is performed the code ends up filling with random
data an internal data structure used to compute the links metric, thus
leading to undefined behaviours.


This bug is there since ever, therefore it would be really nice if could
get it queued for inclusion in stable.


Please pull or let me know of any problem!
Thanks a lot,
	Antonio


The following changes since commit 51cb67c0b0fcb91581b15bd2e85f29af4d4b2df6:

  Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net (2016-01-06 16:15:03 -0800)

are available in the git repository at:

  git://git.open-mesh.org/linux-merge.git tags/batman-adv-fix-for-davem

for you to fetch changes up to 13bbdd370f67aef3351ad7bbc2fb624e3c23f905:

  batman-adv: Fix invalid read while copying bat_iv.bcast_own (2016-01-07 14:24:05 +0800)

----------------------------------------------------------------
Included change:
- Fix invalid read while copying bat_iv.bcast_own by Sven Eckelmann

----------------------------------------------------------------
Sven Eckelmann (1):
      batman-adv: Fix invalid read while copying bat_iv.bcast_own

 net/batman-adv/bat_iv_ogm.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

^ permalink raw reply	[flat|nested] 8+ messages in thread
* [PATCH] batman-adv: Fix invalid read while copying bat_iv.bcast_own
  2016-01-07  7:26 ` [B.A.T.M.A.N.] " Antonio Quartulli
@ 2016-01-07  7:26   ` Antonio Quartulli
  -1 siblings, 0 replies; 8+ messages in thread
From: Antonio Quartulli @ 2016-01-07  7:26 UTC (permalink / raw)
  To: davem
  Cc: netdev, b.a.t.m.a.n, Sven Eckelmann, Marek Lindner, Antonio Quartulli

From: Sven Eckelmann <sven@narfation.org>

batadv_iv_ogm_orig_del_if removes a part of the bcast_own which previously
belonged to the now removed interface. This is done by copying all data
which comes before the removed interface and then appending all the data
which comes after the removed interface.

The address calculation for the position of the data which comes after the
removed interface assumed that the bat_iv.bcast_own is a pointer to a
single byte datatype. But it is a pointer to unsigned long and thus the
calculated position was wrong off factor sizeof(unsigned long).

Fixes: 83a8342678a0 ("more basic routing code added (forwarding packets /
bitarray added)")

Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
---
 net/batman-adv/bat_iv_ogm.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index 912d9c3..aa94b4e 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -185,7 +185,8 @@ unlock:
 static int batadv_iv_ogm_orig_del_if(struct batadv_orig_node *orig_node,
 				     int max_if_num, int del_if_num)
 {
-	int chunk_size,  ret = -ENOMEM, if_offset;
+	int ret = -ENOMEM;
+	size_t chunk_size, if_offset;
 	void *data_ptr = NULL;
 
 	spin_lock_bh(&orig_node->bat_iv.ogm_cnt_lock);
@@ -203,8 +204,9 @@ static int batadv_iv_ogm_orig_del_if(struct batadv_orig_node *orig_node,
 	memcpy(data_ptr, orig_node->bat_iv.bcast_own, del_if_num * chunk_size);
 
 	/* copy second part */
+	if_offset = (del_if_num + 1) * chunk_size;
 	memcpy((char *)data_ptr + del_if_num * chunk_size,
-	       orig_node->bat_iv.bcast_own + ((del_if_num + 1) * chunk_size),
+	       (uint8_t *)orig_node->bat_iv.bcast_own + if_offset,
 	       (max_if_num - del_if_num) * chunk_size);
 
 free_bcast_own:
-- 
2.7.0

^ permalink raw reply related	[flat|nested] 8+ messages in thread
* [B.A.T.M.A.N.] [PATCH] batman-adv: Fix invalid read while copying bat_iv.bcast_own
@ 2016-01-07  7:26   ` Antonio Quartulli
  0 siblings, 0 replies; 8+ messages in thread
From: Antonio Quartulli @ 2016-01-07  7:26 UTC (permalink / raw)
  To: davem; +Cc: netdev, b.a.t.m.a.n, Antonio Quartulli, Marek Lindner

From: Sven Eckelmann <sven@narfation.org>

batadv_iv_ogm_orig_del_if removes a part of the bcast_own which previously
belonged to the now removed interface. This is done by copying all data
which comes before the removed interface and then appending all the data
which comes after the removed interface.

The address calculation for the position of the data which comes after the
removed interface assumed that the bat_iv.bcast_own is a pointer to a
single byte datatype. But it is a pointer to unsigned long and thus the
calculated position was wrong off factor sizeof(unsigned long).

Fixes: 83a8342678a0 ("more basic routing code added (forwarding packets /
bitarray added)")

Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Marek Lindner <mareklindner@neomailbox.ch>
Signed-off-by: Antonio Quartulli <a@unstable.cc>
---
 net/batman-adv/bat_iv_ogm.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index 912d9c3..aa94b4e 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -185,7 +185,8 @@ unlock:
 static int batadv_iv_ogm_orig_del_if(struct batadv_orig_node *orig_node,
 				     int max_if_num, int del_if_num)
 {
-	int chunk_size,  ret = -ENOMEM, if_offset;
+	int ret = -ENOMEM;
+	size_t chunk_size, if_offset;
 	void *data_ptr = NULL;
 
 	spin_lock_bh(&orig_node->bat_iv.ogm_cnt_lock);
@@ -203,8 +204,9 @@ static int batadv_iv_ogm_orig_del_if(struct batadv_orig_node *orig_node,
 	memcpy(data_ptr, orig_node->bat_iv.bcast_own, del_if_num * chunk_size);
 
 	/* copy second part */
+	if_offset = (del_if_num + 1) * chunk_size;
 	memcpy((char *)data_ptr + del_if_num * chunk_size,
-	       orig_node->bat_iv.bcast_own + ((del_if_num + 1) * chunk_size),
+	       (uint8_t *)orig_node->bat_iv.bcast_own + if_offset,
 	       (max_if_num - del_if_num) * chunk_size);
 
 free_bcast_own:
-- 
2.7.0


^ permalink raw reply related	[flat|nested] 8+ messages in thread
* Re: pull request [net]: batman-adv 20160107
  2016-01-07  7:26 ` [B.A.T.M.A.N.] " Antonio Quartulli
  (?)
  (?)
@ 2016-01-07  7:29 ` Antonio Quartulli
  -1 siblings, 0 replies; 8+ messages in thread
From: Antonio Quartulli @ 2016-01-07  7:29 UTC (permalink / raw)
  To: davem; +Cc: netdev, b.a.t.m.a.n

[-- Attachment #1: Type: text/plain, Size: 81 bytes --]

Sorry, missed the batman-adv prefix.

Cheers,



-- 
Antonio Quartulli


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: [B.A.T.M.A.N.] pull request [net]: batman-adv 20160107
  2016-01-07  7:26 ` [B.A.T.M.A.N.] " Antonio Quartulli
                   ` (2 preceding siblings ...)
  (?)
@ 2016-01-07  7:29 ` Antonio Quartulli
  -1 siblings, 0 replies; 8+ messages in thread
From: Antonio Quartulli @ 2016-01-07  7:29 UTC (permalink / raw)
  To: davem; +Cc: netdev, b.a.t.m.a.n

[-- Attachment #1: Type: text/plain, Size: 81 bytes --]

Sorry, missed the batman-adv prefix.

Cheers,



-- 
Antonio Quartulli


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 819 bytes --]

^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: pull request [net]: 20160107
  2016-01-07  7:26 ` [B.A.T.M.A.N.] " Antonio Quartulli
@ 2016-01-09  2:47   ` David Miller
  -1 siblings, 0 replies; 8+ messages in thread
From: David Miller @ 2016-01-09  2:47 UTC (permalink / raw)
  To: a; +Cc: netdev, b.a.t.m.a.n

From: Antonio Quartulli <a@unstable.cc>
Date: Thu,  7 Jan 2016 15:26:26 +0800

> I know it is extremely late in the release cycle, but please accept this
> single (and small) change intended for net.

Pulled, thanks Antonio.

^ permalink raw reply	[flat|nested] 8+ messages in thread
* Re: [B.A.T.M.A.N.] pull request [net]: 20160107
@ 2016-01-09  2:47   ` David Miller
  0 siblings, 0 replies; 8+ messages in thread
From: David Miller @ 2016-01-09  2:47 UTC (permalink / raw)
  To: a; +Cc: netdev, b.a.t.m.a.n

From: Antonio Quartulli <a@unstable.cc>
Date: Thu,  7 Jan 2016 15:26:26 +0800

> I know it is extremely late in the release cycle, but please accept this
> single (and small) change intended for net.

Pulled, thanks Antonio.

^ permalink raw reply	[flat|nested] 8+ messages in thread
end of thread, other threads:[~2016-01-09  2:47 UTC | newest]

Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-01-07  7:26 pull request [net]: 20160107 Antonio Quartulli
2016-01-07  7:26 ` [B.A.T.M.A.N.] " Antonio Quartulli
2016-01-07  7:26 ` [PATCH] batman-adv: Fix invalid read while copying bat_iv.bcast_own Antonio Quartulli
2016-01-07  7:26   ` [B.A.T.M.A.N.] " Antonio Quartulli
2016-01-07  7:29 ` pull request [net]: batman-adv 20160107 Antonio Quartulli
2016-01-07  7:29 ` [B.A.T.M.A.N.] " Antonio Quartulli
2016-01-09  2:47 ` pull request [net]: 20160107 David Miller
2016-01-09  2:47   ` [B.A.T.M.A.N.] " David Miller

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.