[B.A.T.M.A.N.] [PATCHv2 1/2] batman-adv: linearise the tt_response only if needed

[B.A.T.M.A.N.] [PATCHv2 1/2] batman-adv: linearise the tt_response only if needed

[Antonio Quartulli]

The TT_RESPONSE message can be linearised only if we plan to access the tt
payload (only if the message is directed to me). In all the other cases we can
avoid this memory operation

Signed-off-by: Antonio Quartulli <ordex@autistici.org>
---

corrected typo in the commit message

 routing.c |   11 ++++++-----
 1 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/routing.c b/routing.c
index f961cc5..20804f4 100644
--- a/routing.c
+++ b/routing.c
@@ -616,13 +616,14 @@ int recv_tt_query(struct sk_buff *skb, struct hard_iface *recv_if)
 		}
 		break;
 	case TT_RESPONSE:
-		/* packet needs to be linearized to access the TT changes */
-		if (skb_linearize(skb) < 0)
-			goto out;
+		if (is_my_mac(tt_query->dst)) {
+			/* packet needs to be linearized to access the TT
+			 * changes */
+			if (skb_linearize(skb) < 0)
+				goto out;
 
-		if (is_my_mac(tt_query->dst))
 			handle_tt_response(bat_priv, tt_query);
-		else {
+		} else {
 			bat_dbg(DBG_TT, bat_priv,
 				"Routing TT_RESPONSE to %pM [%c]\n",
 				tt_query->dst,
-- 
1.7.3.4

[B.A.T.M.A.N.] [PATCHv2 2/2] batman-adv: check for tt_reponse real length

[Antonio Quartulli]

Before accessing the TT_RESPONSE message payload, we have to ensure that the
real length of the packet reflect the claimed one (contained in
tt_response->tt_data field)

Reported-by: Simon Wunderlich <siwu@hrz.tu-chemnitz.de>
Signed-off-by: Antonio Quartulli <ordex@autistici.org>
---

corrected skb length check

 routing.c |   13 +++++++++++++
 1 files changed, 13 insertions(+), 0 deletions(-)

diff --git a/routing.c b/routing.c
index 20804f4..af55cf7 100644
--- a/routing.c
+++ b/routing.c
@@ -578,6 +578,7 @@ int recv_tt_query(struct sk_buff *skb, struct hard_iface *recv_if)
 {
 	struct bat_priv *bat_priv = netdev_priv(recv_if->soft_iface);
 	struct tt_query_packet *tt_query;
+	uint16_t tt_len;
 	struct ethhdr *ethhdr;
 
 	/* drop packet if it has not necessary minimum size */
@@ -622,6 +623,18 @@ int recv_tt_query(struct sk_buff *skb, struct hard_iface *recv_if)
 			if (skb_linearize(skb) < 0)
 				goto out;
 
+			if (tt_query->flags & TT_FULL_TABLE)
+				tt_len = tt_query->tt_data * ETH_ALEN;
+			else
+				tt_len = tt_query->tt_data *
+					 sizeof(struct tt_change);
+
+			/* Ensure we have all the claimed data */
+			if (unlikely(skb_headlen(skb) <
+					sizeof(struct tt_query_packet) +
+					tt_len))
+				goto out;
+
 			handle_tt_response(bat_priv, tt_query);
 		} else {
 			bat_dbg(DBG_TT, bat_priv,
-- 
1.7.3.4

Re: [B.A.T.M.A.N.] [PATCHv2 2/2] batman-adv: check for tt_reponse real length

[Marek Lindner]

On Wednesday, October 12, 2011 15:10:58 Antonio Quartulli wrote:
> if (tt_query->flags & TT_FULL_TABLE)
> +                               tt_len = tt_query->tt_data * ETH_ALEN;

Odd, I had the feeling the full table also uses 'struct tt_change' and not 
plain ethernet addresses anymore.

From translation-table.c (send_my_tt_response):
tt_len = (uint16_t)atomic_read(&bat_priv->num_local_tt) * 
                              sizeof(struct tt_change);

Regards,
Marek