Hi,
On 12/11/14 18:58, Sven Eckelmann wrote:
> batctl tcpdump has an array with all known TVLVs and versions. The correct
> parser for the TVLV is chosen by getting the pointer from the address
> calculated by version and type. Unfortunately, the version and type was never
> validated to ensure that not an unknown TVLV (like mcast) was received.
>
> This missing validation makes it possible to crash batctl by injecting packets
> with an unknown type and/or version. batctl will try to get the parser, fetch
> a
> NULL pointer or random data and then try to dereferenced it. This is usually
> handled by the operating system with a segfault. But this might be exploitable
> in rare situations.
>
> An approach to handle this problem is by combining the simple selection step
> with the validation step. Only valid version+type will return a parser
> function
> pointer and the requesting function will only call the parser function pointer
> when it got one.
>
> This regression was introduced by 4c39fb823b86036df40187f8bd342fe5398c28ef
> ("batctl: tcpdump - parse TVLV containers").
>
> Signed-off-by: Sven Eckelmann <[email protected]>For the whole series: Acked-by: Antonio Quartulli <[email protected]> Thank you very much for your work Sven! @Marek: the offending patch is in next, therefore this patchset should be merged there as well. Cheers, -- Antonio Quartulli
signature.asc
Description: OpenPGP digital signature
