From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Sven Eckelmann <sven@narfation.org>,
Simon Wunderlich <sw@simonwunderlich.de>,
Sasha Levin <sashal@kernel.org>,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 15/68] batman-adv: Expand merged fragment buffer for full packet
Date: Thu, 29 Nov 2018 00:55:06 -0500 [thread overview]
Message-ID: <20181129055559.159228-15-sashal@kernel.org> (raw)
In-Reply-To: <20181129055559.159228-1-sashal@kernel.org>
From: Sven Eckelmann <sven@narfation.org>
[ Upstream commit d7d8bbb40a5b1f682ee6589e212934f4c6b8ad60 ]
The complete size ("total_size") of the fragmented packet is stored in the
fragment header and in the size of the fragment chain. When the fragments
are ready for merge, the skbuff's tail of the first fragment is expanded to
have enough room after the data pointer for at least total_size. This means
that it gets expanded by total_size - first_skb->len.
But this is ignoring the fact that after expanding the buffer, the fragment
header is pulled by from this buffer. Assuming that the tailroom of the
buffer was already 0, the buffer after the data pointer of the skbuff is
now only total_size - len(fragment_header) large. When the merge function
is then processing the remaining fragments, the code to copy the data over
to the merged skbuff will cause an skb_over_panic when it tries to actually
put enough data to fill the total_size bytes of the packet.
The size of the skb_pull must therefore also be taken into account when the
buffer's tailroom is expanded.
Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge")
Reported-by: Martin Weinelt <martin@darmstadt.freifunk.net>
Co-authored-by: Linus Lüssing <linus.luessing@c0d3.blue>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/batman-adv/fragmentation.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
index 0fddc17106bd..5b71a289d04f 100644
--- a/net/batman-adv/fragmentation.c
+++ b/net/batman-adv/fragmentation.c
@@ -275,7 +275,7 @@ batadv_frag_merge_packets(struct hlist_head *chain)
kfree(entry);
packet = (struct batadv_frag_packet *)skb_out->data;
- size = ntohs(packet->total_size);
+ size = ntohs(packet->total_size) + hdr_size;
/* Make room for the rest of the fragments. */
if (pskb_expand_head(skb_out, 0, size - skb_out->len, GFP_ATOMIC) < 0) {
--
2.17.1
next prev parent reply other threads:[~2018-11-29 5:57 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-29 5:54 [PATCH AUTOSEL 4.19 01/68] media: vicodec: lower minimum height to 360 Sasha Levin
2018-11-29 5:54 ` [PATCH AUTOSEL 4.19 02/68] media: cec: check for non-OK/NACK conditions while claiming a LA Sasha Levin
2018-11-29 5:54 ` [PATCH AUTOSEL 4.19 03/68] media: omap3isp: Unregister media device as first Sasha Levin
2018-11-29 5:54 ` [PATCH AUTOSEL 4.19 04/68] media: ipu3-cio2: Unregister device nodes first, then release resources Sasha Levin
2018-11-29 5:54 ` [PATCH AUTOSEL 4.19 05/68] iommu/vt-d: Fix NULL pointer dereference in prq_event_thread() Sasha Levin
2018-11-29 5:54 ` [PATCH AUTOSEL 4.19 06/68] brcmutil: really fix decoding channel info for 160 MHz bandwidth Sasha Levin
2018-11-29 11:49 ` Kalle Valo
2018-11-29 16:54 ` Sasha Levin
2018-11-29 5:54 ` [PATCH AUTOSEL 4.19 07/68] mt76: fix building without CONFIG_LEDS_CLASS Sasha Levin
2018-11-29 5:54 ` [PATCH AUTOSEL 4.19 08/68] iommu/ipmmu-vmsa: Fix crash on early domain free Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 09/68] scsi: ufs: Fix hynix ufs bug with quirk on hi36xx SoC Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 10/68] can: ucan: remove set but not used variable 'udev' Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 11/68] can: rcar_can: Fix erroneous registration Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 12/68] test_firmware: fix error return getting clobbered Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 13/68] HID: input: Ignore battery reported by Symbol DS4308 Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 14/68] batman-adv: Use explicit tvlv padding for ELP packets Sasha Levin
2018-11-29 5:55 ` Sasha Levin [this message]
2018-11-29 10:00 ` [PATCH AUTOSEL 4.19 15/68] batman-adv: Expand merged fragment buffer for full packet Sergei Shtylyov
2018-11-29 10:04 ` Sergei Shtylyov
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 16/68] amd/iommu: Fix Guest Virtual APIC Log Tail Address Register Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 17/68] bnx2x: Assign unique DMAE channel number for FW DMAE transactions Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 18/68] qed: Fix PTT leak in qed_drain() Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 19/68] qed: Fix overriding offload_tc by protocols without APP TLV Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 20/68] qed: Fix rdma_info structure allocation Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 21/68] qed: Fix reading wrong value in loop condition Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 22/68] usb: dwc2: pci: Fix an error code in probe Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 23/68] Revert "usb: gadget: ffs: Fix BUG when userland exits with submitted AIO transfers" Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 24/68] s390/ism: clear dmbe_mask bit before SMC IRQ handling Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 25/68] nvme-fc: resolve io failures during connect Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 26/68] bnxt_en: Fix filling time in bnxt_fill_coredump_record() Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 27/68] drm/amdgpu: Add amdgpu "max bpc" connector property (v2) Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 28/68] drm/amd/display: Support " Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 29/68] net/mlx4_core: Zero out lkey field in SW2HW_MPT fw command Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 30/68] net/mlx4_core: Fix uninitialized variable compilation warning Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 31/68] net/mlx4: Fix UBSAN warning of signed integer overflow Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 32/68] drivers/net/ethernet/qlogic/qed/qed_rdma.h: fix typo Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 33/68] gpio: pxa: fix legacy non pinctrl aware builds again Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 34/68] gpio: mockup: fix indicated direction Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 35/68] tc-testing: tdc.py: ignore errors when decoding stdout/stderr Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 36/68] tc-testing: tdc.py: Guard against lack of returncode in executed command Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 37/68] mtd: rawnand: qcom: Namespace prefix some commands Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 38/68] cpufreq: ti-cpufreq: Only register platform_device when supported Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 39/68] exec: make de_thread() freezable Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 40/68] ALSA: hda/ca0132 - Add new ZxR quirk Sasha Levin
2018-11-29 14:51 ` Connor McAdams
2018-12-05 16:00 ` Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 41/68] Revert "HID: uhid: use strlcpy() instead of strncpy()" Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 42/68] HID: steam: remove input device when a hid client is running Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 43/68] HID: multitouch: Add pointstick support for Cirque Touchpad Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 44/68] mtd: spi-nor: Fix Cadence QSPI page fault kernel panic Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 45/68] net: ena: fix crash during failed resume from hibernation Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 46/68] NFSv4: Fix a NFSv4 state manager deadlock Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 47/68] qed: Fix bitmap_weight() check Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 48/68] qed: Fix QM getters to always return a valid pq Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 49/68] net/ibmnvic: Fix deadlock problem in reset Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 50/68] riscv: fix warning in arch/riscv/include/asm/module.h Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 51/68] iomap: FUA is wrong for DIO O_DSYNC writes into unwritten extents Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 52/68] iomap: sub-block dio needs to zeroout beyond EOF Sasha Levin
2018-11-29 12:19 ` Dave Chinner
2018-11-29 12:36 ` Amir Goldstein
2018-11-29 22:43 ` Dave Chinner
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 53/68] iomap: dio data corruption and spurious errors when pipes fill Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 54/68] iomap: readpages doesn't zero page tail beyond EOF Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 55/68] net: faraday: ftmac100: remove netif_running(netdev) check before disabling interrupts Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 56/68] iommu/vt-d: Use memunmap to free memremap Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 57/68] NFSv4.2 copy do not allocate memory under the lock Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 58/68] flexfiles: use per-mirror specified stateid for IO Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 59/68] net/dim: Update DIM start sample after each DIM iteration Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 60/68] net: thunderx: set xdp_prog to NULL if bpf_prog_add fails Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 61/68] ibmvnic: Fix RX queue buffer cleanup Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 62/68] ibmvnic: Update driver queues after change in ring size support Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 63/68] virtio-net: disable guest csum during XDP set Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 64/68] virtio-net: fail XDP set if guest csum is negotiated Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 65/68] team: no need to do team_notify_peers or team_mcast_rejoin when disabling port Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 66/68] net: amd: add missing of_node_put() Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 67/68] net: thunderx: set tso_hdrs pointer to NULL in nicvf_free_snd_queue Sasha Levin
2018-11-29 5:55 ` [PATCH AUTOSEL 4.19 68/68] net: gemini: Fix copy/paste error Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181129055559.159228-15-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=sven@narfation.org \
--cc=sw@simonwunderlich.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).