X-Git-Url: http://git.openwrt.org/?a=blobdiff_plain;f=batman-adv%2Fpatches%2F0057-batman-adv-Expand-merged-fragment-buffer-for-full-pa.patch;fp=batman-adv%2Fpatches%2F0057-batman-adv-Expand-merged-fragment-buffer-for-full-pa.patch;h=479bfb8bea6be7811da2c72385199318c0d2d79f;hb=2c8de62f4a686990744c0e9d8d88a0a5aae0b2d3;hp=0000000000000000000000000000000000000000;hpb=2ac8e7b42b034cf9f4d1507f280e08739fd80685;p=feed%2Frouting.git diff --git a/batman-adv/patches/0057-batman-adv-Expand-merged-fragment-buffer-for-full-pa.patch b/batman-adv/patches/0057-batman-adv-Expand-merged-fragment-buffer-for-full-pa.patch new file mode 100644 index 0000000..479bfb8 --- /dev/null +++ b/batman-adv/patches/0057-batman-adv-Expand-merged-fragment-buffer-for-full-pa.patch @@ -0,0 +1,44 @@ +From: Sven Eckelmann +Date: Wed, 7 Nov 2018 23:09:12 +0100 +Subject: [PATCH] batman-adv: Expand merged fragment buffer for full packet + +The complete size ("total_size") of the fragmented packet is stored in the +fragment header and in the size of the fragment chain. When the fragments +are ready for merge, the skbuff's tail of the first fragment is expanded to +have enough room after the data pointer for at least total_size. This means +that it gets expanded by total_size - first_skb->len. + +But this is ignoring the fact that after expanding the buffer, the fragment +header is pulled by from this buffer. Assuming that the tailroom of the +buffer was already 0, the buffer after the data pointer of the skbuff is +now only total_size - len(fragment_header) large. When the merge function +is then processing the remaining fragments, the code to copy the data over +to the merged skbuff will cause an skb_over_panic when it tries to actually +put enough data to fill the total_size bytes of the packet. + +The size of the skb_pull must therefore also be taken into account when the +buffer's tailroom is expanded. + +Fixes: 9b3eab61754d ("batman-adv: Receive fragmented packets and merge") +Reported-by: Martin Weinelt +Co-authored-by: Linus Lüssing +Signed-off-by: Sven Eckelmann + +Origin: other, https://patchwork.open-mesh.org/patch/17616/ +--- + net/batman-adv/fragmentation.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c +index 5969d3705ec08a96438ecce06577d35291600753..f6a5196d0370517716dfc9e1f80fb878a068801d 100644 +--- a/net/batman-adv/fragmentation.c ++++ b/net/batman-adv/fragmentation.c +@@ -274,7 +274,7 @@ batadv_frag_merge_packets(struct hlist_head *chain) + kfree(entry); + + packet = (struct batadv_frag_packet *)skb_out->data; +- size = ntohs(packet->total_size); ++ size = ntohs(packet->total_size) + hdr_size; + + /* Make room for the rest of the fragments. */ + if (pskb_expand_head(skb_out, 0, size - skb_out->len, GFP_ATOMIC) < 0) {