[B.A.T.M.A.N.] [PATCH] batman-adv: verify whether tt len exceeds packet len upon receipt of OGM

[B.A.T.M.A.N.] [PATCH] batman-adv: verify whether tt len exceeds packet len upon receipt of OGM

[Marek Lindner]

Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
---
 bat_iv_ogm.c |   11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/bat_iv_ogm.c b/bat_iv_ogm.c
index 7654b76..99cab3b 100644
--- a/bat_iv_ogm.c
+++ b/bat_iv_ogm.c
@@ -1272,7 +1272,7 @@ static int batadv_iv_ogm_receive(struct sk_buff *skb,
 	struct batadv_priv *bat_priv = netdev_priv(if_incoming->soft_iface);
 	struct batadv_ogm_packet *batadv_ogm_packet;
 	struct ethhdr *ethhdr;
-	int buff_pos = 0, packet_len;
+	int buff_pos = 0, tt_len, packet_len;
 	unsigned char *tt_buff, *packet_buff;
 	bool ret;
 	uint8_t *packet_pos;
@@ -1298,14 +1298,17 @@ static int batadv_iv_ogm_receive(struct sk_buff *skb,
 
 	/* unpack the aggregated packets and process them one by one */
 	do {
+		tt_len = batadv_tt_len(batadv_ogm_packet->tt_num_changes);
+
+		if (buff_pos + BATADV_OGM_HLEN + tt_len > packet_len)
+			break;
+
 		tt_buff = packet_buff + buff_pos + BATADV_OGM_HLEN;
 
 		batadv_iv_ogm_process(ethhdr, batadv_ogm_packet, tt_buff,
 				      if_incoming);
 
-		buff_pos += BATADV_OGM_HLEN;
-		buff_pos += batadv_tt_len(batadv_ogm_packet->tt_num_changes);
-
+		buff_pos += BATADV_OGM_HLEN + tt_len;
 		packet_pos = packet_buff + buff_pos;
 		batadv_ogm_packet = (struct batadv_ogm_packet *)packet_pos;
 	} while (batadv_iv_ogm_aggr_packet(buff_pos, packet_len,
-- 
1.7.10.4