On Fri, 2012-06-29 at 22:58 +0200, Antonio Quartulli wrote: > commit 2c995ff892313009e336ecc8ec3411022f5b1c39 upstream. > > skb_linearize(skb) possibly rearranges the skb internal data and then changes > the skb->data pointer value. For this reason any other pointer in the code > that > was assigned skb->data before invoking skb_linearise(skb) must be re-assigned. > > In the current tt_query message handling code this is not done and therefore, > in > case of skb linearization, the pointer used to handle the packet header ends > up > in pointing to poisoned memory. The packet is then dropped but the > translation-table mechanism is corrupted. > > Signed-off-by: Antonio Quartulli <[email protected]> > Signed-off-by: Sven Eckelmann <[email protected]> > --- > Hello, > > the patch committed upstream already contains Cc: [email protected] but > that patch does apply only on 3.5, 3.4 and 3.3. > > This patch is a backport for kernel versions 3.1 and 3.2 [...] > --- a/net/batman-adv/routing.c > +++ b/net/batman-adv/routing.c > @@ -1246,6 +1246,8 @@ int recv_tt_query(struct sk_buff *skb, struct > hard_iface *recv_if) > /* packet needs to be linearised to access the TT changes */
Interesting context; the spelling of 'linearized' doesn't match and the line numbers are way off. :-) But OK, I've added this to the queue. Ben. > if (skb_linearize(skb) < 0) > goto out; > + /* skb_linearize() possibly changed skb->data */ > + tt_query = (struct tt_query_packet *)skb->data; > > if (is_my_mac(tt_query->dst)) > handle_tt_response(bat_priv, tt_query); -- Ben Hutchings If you seem to know what you are doing, you'll be given more to do.
signature.asc
Description: This is a digitally signed message part
