Here are two batman-adv bugfixes:
- Fix OGM and OGMv2 header read boundary check,
by Sven Eckelmann (2 patches)
-----BEGIN PGP SIGNATURE-----
iQJKBAABCgA0FiEE1ilQI7G+y+fdhnrfoSvjmEKSnqEFAl1ozuUWHHN3QHNpbW9u
d3VuZGVybGljaC5kZQAKCRChK+OYQpKeoQt8D/0U5gjwcMbqt5W9UekW6Ci+Up6I
jJ3/hoZUD8lLWeKkYkSHdTUElpy0bLdLVGjUBJIZxM+UrCuKSTt0u04PAWN80JhZ
JdRblj0qicdwKll0Oyw08Ind5FKLLgDjN30z/9mDDRguMxJavowdBtmb5y/ybbiU
o4M/fnSkhUwiRwWK3cUKq1SVUrjAOg/C3fE7zVrn8XzRxH4TGvReCZTLKZZa9cGJ
m6Le68zT/JOrGe3O0uwQXbHFl+eqKYqNfrV4GBhL6saqLTrr3naiXjIP5YfyNONm
U0GRjmXWFQwfwwNxYeLqspwrg8VVuhy84H2FnrieY5kyJVQuX8637XZn9HDDxtkl
42TQ/jtogZ6GVamhN4c7HpvITeoPaVx8HLUJ3TPU89c7Va19D/XFBSKBL7nGADaM
FK0s8KZHXVkY18Lh4ak6dttjyZAnv7aNlpW7h0GyXJ0vTO6bU+QAQNOGZsO1romH
BHlX24+Y9G1PxtDHXE+fvEH4uolXuyOG6bgGVAEfWGLQdZoX5N9VjcRvP+BE7qUF
O4+I/sTVLXI65FYy/cRE+XwckXumZiq/PHqKHY7KB51Z0ZiMsi4yy0joVm64t/22
lm6922MP+r3vKudvMev08SKqFEcPze0JkwYE8XuirgnnjRsE+e1VJN2Z1j7yQKcI
K9gpMw7UREKglnwrhQ==
=hD2g
-----END PGP SIGNATURE-----
Merge tag 'batadv-net-for-davem-20190830' of git://git.open-mesh.org/linux-merge
Simon Wunderlich says:
====================
Here are two batman-adv bugfixes:
- Fix OGM and OGMv2 header read boundary check,
by Sven Eckelmann (2 patches)
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
David S. Miller
Коммит
5b161002bd
|
|
@ -277,17 +277,23 @@ static u8 batadv_hop_penalty(u8 tq, const struct batadv_priv *bat_priv)
|
|||
* batadv_iv_ogm_aggr_packet() - checks if there is another OGM attached
|
||||
* @buff_pos: current position in the skb
|
||||
* @packet_len: total length of the skb
|
||||
* @tvlv_len: tvlv length of the previously considered OGM
|
||||
* @ogm_packet: potential OGM in buffer
|
||||
*
|
||||
* Return: true if there is enough space for another OGM, false otherwise.
|
||||
*/
|
||||
static bool batadv_iv_ogm_aggr_packet(int buff_pos, int packet_len,
|
||||
__be16 tvlv_len)
|
||||
static bool
|
||||
batadv_iv_ogm_aggr_packet(int buff_pos, int packet_len,
|
||||
const struct batadv_ogm_packet *ogm_packet)
|
||||
{
|
||||
int next_buff_pos = 0;
|
||||
|
||||
next_buff_pos += buff_pos + BATADV_OGM_HLEN;
|
||||
next_buff_pos += ntohs(tvlv_len);
|
||||
/* check if there is enough space for the header */
|
||||
next_buff_pos += buff_pos + sizeof(*ogm_packet);
|
||||
if (next_buff_pos > packet_len)
|
||||
return false;
|
||||
|
||||
/* check if there is enough space for the optional TVLV */
|
||||
next_buff_pos += ntohs(ogm_packet->tvlv_len);
|
||||
|
||||
return (next_buff_pos <= packet_len) &&
|
||||
(next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES);
|
||||
|
|
@ -315,7 +321,7 @@ static void batadv_iv_ogm_send_to_if(struct batadv_forw_packet *forw_packet,
|
|||
|
||||
/* adjust all flags and log packets */
|
||||
while (batadv_iv_ogm_aggr_packet(buff_pos, forw_packet->packet_len,
|
||||
batadv_ogm_packet->tvlv_len)) {
|
||||
batadv_ogm_packet)) {
|
||||
/* we might have aggregated direct link packets with an
|
||||
* ordinary base packet
|
||||
*/
|
||||
|
|
@ -1704,7 +1710,7 @@ static int batadv_iv_ogm_receive(struct sk_buff *skb,
|
|||
|
||||
/* unpack the aggregated packets and process them one by one */
|
||||
while (batadv_iv_ogm_aggr_packet(ogm_offset, skb_headlen(skb),
|
||||
ogm_packet->tvlv_len)) {
|
||||
ogm_packet)) {
|
||||
batadv_iv_ogm_process(skb, ogm_offset, if_incoming);
|
||||
|
||||
ogm_offset += BATADV_OGM_HLEN;
|
||||
|
|
|
|||
|
|
@ -631,17 +631,23 @@ batadv_v_ogm_process_per_outif(struct batadv_priv *bat_priv,
|
|||
* batadv_v_ogm_aggr_packet() - checks if there is another OGM aggregated
|
||||
* @buff_pos: current position in the skb
|
||||
* @packet_len: total length of the skb
|
||||
* @tvlv_len: tvlv length of the previously considered OGM
|
||||
* @ogm2_packet: potential OGM2 in buffer
|
||||
*
|
||||
* Return: true if there is enough space for another OGM, false otherwise.
|
||||
*/
|
||||
static bool batadv_v_ogm_aggr_packet(int buff_pos, int packet_len,
|
||||
__be16 tvlv_len)
|
||||
static bool
|
||||
batadv_v_ogm_aggr_packet(int buff_pos, int packet_len,
|
||||
const struct batadv_ogm2_packet *ogm2_packet)
|
||||
{
|
||||
int next_buff_pos = 0;
|
||||
|
||||
next_buff_pos += buff_pos + BATADV_OGM2_HLEN;
|
||||
next_buff_pos += ntohs(tvlv_len);
|
||||
/* check if there is enough space for the header */
|
||||
next_buff_pos += buff_pos + sizeof(*ogm2_packet);
|
||||
if (next_buff_pos > packet_len)
|
||||
return false;
|
||||
|
||||
/* check if there is enough space for the optional TVLV */
|
||||
next_buff_pos += ntohs(ogm2_packet->tvlv_len);
|
||||
|
||||
return (next_buff_pos <= packet_len) &&
|
||||
(next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES);
|
||||
|
|
@ -818,7 +824,7 @@ int batadv_v_ogm_packet_recv(struct sk_buff *skb,
|
|||
ogm_packet = (struct batadv_ogm2_packet *)skb->data;
|
||||
|
||||
while (batadv_v_ogm_aggr_packet(ogm_offset, skb_headlen(skb),
|
||||
ogm_packet->tvlv_len)) {
|
||||
ogm_packet)) {
|
||||
batadv_v_ogm_process(skb, ogm_offset, if_incoming);
|
||||
|
||||
ogm_offset += BATADV_OGM2_HLEN;
|
||||
|
|
|
|||
Загрузка…
Ссылка в новой задаче