b.a.t.m.a.n.lists.open-mesh.org archive mirror
 help / color / mirror / Atom feed
* [B.A.T.M.A.N.] pull request: batman-adv 2013-03-11
@ 2013-03-11 22:12 Antonio Quartulli
  2013-03-11 22:12 ` [B.A.T.M.A.N.] [PATCH] batman-adv: verify tt len does not exceed packet len Antonio Quartulli
  2013-03-12 15:37 ` [B.A.T.M.A.N.] pull request: batman-adv 2013-03-11 David Miller
  0 siblings, 2 replies; 3+ messages in thread
From: Antonio Quartulli @ 2013-03-11 22:12 UTC (permalink / raw)
  To: davem; +Cc: netdev, b.a.t.m.a.n

Hello David,

This is a single fix intended for net/linux-3.9 brought by Marek Lindner.
It ensures that the incoming originator message parsing routine does not
try to read beyond the packet boundary causing it to process random data.

This bug is in since a while..Please, consider sending this patch to stable.


Please pull or let me know if there is any problem!
Thank you,
	Antonio



The following changes since commit 7c6baa304b841673d3a55ea4fcf9a5cbf7a1674b:

  Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip (2013-03-11 07:54:29 -0700)

are available in the git repository at:


  git://git.open-mesh.org/linux-merge.git tags/batman-adv-fix-for-davem

for you to fetch changes up to b47506d91259c29b9c75c404737eb6525556f9b4:

  batman-adv: verify tt len does not exceed packet len (2013-03-11 22:59:47 +0100)

----------------------------------------------------------------
Included changes ares:
- fix packet parsing routine to avoid to read beyond the packet boundary

----------------------------------------------------------------
Marek Lindner (1):
      batman-adv: verify tt len does not exceed packet len

 net/batman-adv/bat_iv_ogm.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

^ permalink raw reply	[flat|nested] 3+ messages in thread
* [B.A.T.M.A.N.] [PATCH] batman-adv: verify tt len does not exceed packet len
  2013-03-11 22:12 [B.A.T.M.A.N.] pull request: batman-adv 2013-03-11 Antonio Quartulli
@ 2013-03-11 22:12 ` Antonio Quartulli
  2013-03-12 15:37 ` [B.A.T.M.A.N.] pull request: batman-adv 2013-03-11 David Miller
  1 sibling, 0 replies; 3+ messages in thread
From: Antonio Quartulli @ 2013-03-11 22:12 UTC (permalink / raw)
  To: davem; +Cc: netdev, b.a.t.m.a.n, Marek Lindner

From: Marek Lindner <lindner_marek@yahoo.de>

batadv_iv_ogm_process() accesses the packet using the tt_num_changes
attribute regardless of the real packet len (assuming the length check
was done before). Therefore a length check is needed to avoid reading
random memory.

Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
Signed-off-by: Antonio Quartulli <ordex@autistici.org>
---
 net/batman-adv/bat_iv_ogm.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index a0b253e..a5bb0a7 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -1288,7 +1288,8 @@ static int batadv_iv_ogm_receive(struct sk_buff *skb,
 	batadv_ogm_packet = (struct batadv_ogm_packet *)packet_buff;
 
 	/* unpack the aggregated packets and process them one by one */
-	do {
+	while (batadv_iv_ogm_aggr_packet(buff_pos, packet_len,
+					 batadv_ogm_packet->tt_num_changes)) {
 		tt_buff = packet_buff + buff_pos + BATADV_OGM_HLEN;
 
 		batadv_iv_ogm_process(ethhdr, batadv_ogm_packet, tt_buff,
@@ -1299,8 +1300,7 @@ static int batadv_iv_ogm_receive(struct sk_buff *skb,
 
 		packet_pos = packet_buff + buff_pos;
 		batadv_ogm_packet = (struct batadv_ogm_packet *)packet_pos;
-	} while (batadv_iv_ogm_aggr_packet(buff_pos, packet_len,
-					   batadv_ogm_packet->tt_num_changes));
+	}
 
 	kfree_skb(skb);
 	return NET_RX_SUCCESS;
-- 
1.8.1.5


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [B.A.T.M.A.N.] pull request: batman-adv 2013-03-11
  2013-03-11 22:12 [B.A.T.M.A.N.] pull request: batman-adv 2013-03-11 Antonio Quartulli
  2013-03-11 22:12 ` [B.A.T.M.A.N.] [PATCH] batman-adv: verify tt len does not exceed packet len Antonio Quartulli
@ 2013-03-12 15:37 ` David Miller
  1 sibling, 0 replies; 3+ messages in thread
From: David Miller @ 2013-03-12 15:37 UTC (permalink / raw)
  To: ordex; +Cc: netdev, b.a.t.m.a.n

From: Antonio Quartulli <ordex@autistici.org>
Date: Mon, 11 Mar 2013 23:12:27 +0100

> This is a single fix intended for net/linux-3.9 brought by Marek Lindner.
> It ensures that the incoming originator message parsing routine does not
> try to read beyond the packet boundary causing it to process random data.
> 
> This bug is in since a while..Please, consider sending this patch to stable.
> 
> 
> Please pull or let me know if there is any problem!

Pulled and queued up for -stable.

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2013-03-12 15:37 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-03-11 22:12 [B.A.T.M.A.N.] pull request: batman-adv 2013-03-11 Antonio Quartulli
2013-03-11 22:12 ` [B.A.T.M.A.N.] [PATCH] batman-adv: verify tt len does not exceed packet len Antonio Quartulli
2013-03-12 15:37 ` [B.A.T.M.A.N.] pull request: batman-adv 2013-03-11 David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).