d4f4445d29
Signed-off-by: Marek Lindner <lindner_marek@yahoo.de> git-svn-id: svn://svn.openwrt.org/openwrt/packages@32386 3c298f89-4303-0410-b956-a3cf2f4a3e73
36 lines
1.3 KiB
Diff
36 lines
1.3 KiB
Diff
From c7d05ee2b60370392d9c7bb1b764fd36b5aec81b Mon Sep 17 00:00:00 2001
|
|
From: Antonio Quartulli <ordex@autistici.org>
|
|
Date: Thu, 14 Jun 2012 22:21:28 +0200
|
|
Subject: [PATCH] batman-adv: fix skb->data assignment
|
|
|
|
skb_linearize(skb) possibly rearranges the skb internal data and then changes
|
|
the skb->data pointer value. For this reason any other pointer in the code that
|
|
was assigned skb->data before invoking skb_linearise(skb) must be re-assigned.
|
|
|
|
In the current tt_query message handling code this is not done and therefore, in
|
|
case of skb linearization, the pointer used to handle the packet header ends up
|
|
in pointing to poisoned memory. The packet is then dropped but the
|
|
translation-table mechanism is corrupted.
|
|
|
|
Signed-off-by: Antonio Quartulli <ordex@autistici.org>
|
|
---
|
|
routing.c | 2 ++
|
|
1 files changed, 2 insertions(+), 0 deletions(-)
|
|
|
|
diff --git a/routing.c b/routing.c
|
|
index 840e2c6..015471d 100644
|
|
--- a/routing.c
|
|
+++ b/routing.c
|
|
@@ -617,6 +617,8 @@ int recv_tt_query(struct sk_buff *skb, struct hard_iface *recv_if)
|
|
* changes */
|
|
if (skb_linearize(skb) < 0)
|
|
goto out;
|
|
+ /* skb_linearize() possibly changed skb->data */
|
|
+ tt_query = (struct tt_query_packet *)skb->data;
|
|
|
|
tt_len = tt_query->tt_data * sizeof(struct tt_change);
|
|
|
|
--
|
|
1.7.9.1
|
|
|