PKG_VERSION:=2013.2.0
BATCTL_VERSION:=2013.2.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2
PKG_MD5SUM:=9ec18300b96df22f0ed21c9f51e4ccef
BATCTL_MD5SUM:=712f86cdd0f9076503fc48acf37e109e
From 9b96ecbae7295269aaa0320667f646870de65661 Mon Sep 17 00:00:00 2001
From: Antonio Quartulli <antonio@open-mesh.com>
Date: Wed, 3 Apr 2013 10:14:20 +0200
-Subject: [PATCH 1/2] batman-adv: use the proper header len when checking the
+Subject: [PATCH 1/6] batman-adv: use the proper header len when checking the
TTVN
Unicast packet might be of type either UNICAST or
From 82d1a8ebf19a1b9841ee44ce7b2448114be3e772 Mon Sep 17 00:00:00 2001
From: Patrick McHardy <kaber@trash.net>
Date: Wed, 24 Apr 2013 17:42:56 +0200
-Subject: [PATCH 2/2] net: vlan: add protocol argument to packet tagging
+Subject: [PATCH 2/6] net: vlan: add protocol argument to packet tagging
functions
Add a protocol argument to the VLAN packet tagging functions. In case of HW
--- /dev/null
+From aa7d19a5b97fe48657e075e8e4d130bd6916551e Mon Sep 17 00:00:00 2001
+From: Marek Lindner <lindner_marek@yahoo.de>
+Date: Sat, 27 Apr 2013 16:22:28 +0800
+Subject: [PATCH 3/6] batman-adv: check proto length before accessing proto
+ string buffer
+
+batadv_param_set_ra() strips the trailing '\n' from the supplied
+string buffer without checking the length of the buffer first. This
+patches avoids random memory access and associated potential
+crashes.
+
+Reported-by: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
+---
+ main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/main.c b/main.c
+index 3e30a0f..9c620cd 100644
+--- a/main.c
++++ b/main.c
+@@ -475,7 +475,7 @@ static int batadv_param_set_ra(const char *val, const struct kernel_param *kp)
+ char *algo_name = (char *)val;
+ size_t name_len = strlen(algo_name);
+
+- if (algo_name[name_len - 1] == '\n')
++ if (name_len > 0 && algo_name[name_len - 1] == '\n')
+ algo_name[name_len - 1] = '\0';
+
+ bat_algo_ops = batadv_algo_get(algo_name);
+--
+1.7.10.4
+
--- /dev/null
+From d22ebef1431aab13099370b89afa4ba55eb95c35 Mon Sep 17 00:00:00 2001
+From: Marek Lindner <lindner_marek@yahoo.de>
+Date: Tue, 7 May 2013 19:25:02 +0800
+Subject: [PATCH 4/6] batman-adv: check return value of pskb_trim_rcsum()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Reported-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
+Acked-by: Martin Hundebøll <martin@hundeboll.net>
+---
+ network-coding.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/network-coding.c b/network-coding.c
+index f7c5430..e84629e 100644
+--- a/network-coding.c
++++ b/network-coding.c
+@@ -1514,6 +1514,7 @@ batadv_nc_skb_decode_packet(struct batadv_priv *bat_priv, struct sk_buff *skb,
+ struct ethhdr *ethhdr, ethhdr_tmp;
+ uint8_t *orig_dest, ttl, ttvn;
+ unsigned int coding_len;
++ int err;
+
+ /* Save headers temporarily */
+ memcpy(&coded_packet_tmp, skb->data, sizeof(coded_packet_tmp));
+@@ -1568,8 +1569,11 @@ batadv_nc_skb_decode_packet(struct batadv_priv *bat_priv, struct sk_buff *skb,
+ coding_len);
+
+ /* Resize decoded skb if decoded with larger packet */
+- if (nc_packet->skb->len > coding_len + h_size)
+- pskb_trim_rcsum(skb, coding_len + h_size);
++ if (nc_packet->skb->len > coding_len + h_size) {
++ err = pskb_trim_rcsum(skb, coding_len + h_size);
++ if (err)
++ return NULL;
++ }
+
+ /* Create decoded unicast packet */
+ unicast_packet = (struct batadv_unicast_packet *)skb->data;
+--
+1.7.10.4
+
--- /dev/null
+From d6bd8b36fa1f3d72a6fd5942a6e9bde6ddafcd0d Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <ordex@autistici.org>
+Date: Thu, 9 May 2013 09:35:45 +0200
+Subject: [PATCH 5/6] batman-adv: make DAT drop ARP requests targeting local
+ clients
+
+In the outgoing ARP request snooping routine in DAT, ARP
+Request sent by local clients which are supposed to be
+replied by other local clients can be silently dropped.
+
+The destination host will reply by itself through the LAN
+and therefore there is no need to involve DAT.
+
+Reported-by: Carlos Quijano <carlos@crqgestion.es>
+Signed-off-by: Antonio Quartulli <ordex@autistici.org>
+Tested-by: Carlos Quijano <carlos@crqgestion.es>
+Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
+---
+ distributed-arp-table.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/distributed-arp-table.c b/distributed-arp-table.c
+index 8e15d96..2399920 100644
+--- a/distributed-arp-table.c
++++ b/distributed-arp-table.c
+@@ -837,6 +837,19 @@ bool batadv_dat_snoop_outgoing_arp_request(struct batadv_priv *bat_priv,
+
+ dat_entry = batadv_dat_entry_hash_find(bat_priv, ip_dst);
+ if (dat_entry) {
++ /* If the ARP request is destined for a local client the local
++ * client will answer itself. DAT would only generate a
++ * duplicate packet.
++ *
++ * Moreover, if the soft-interface is enslaved into a bridge, an
++ * additional DAT answer may trigger kernel warnings about
++ * a packet coming from the wrong port.
++ */
++ if (batadv_is_my_client(bat_priv, dat_entry->mac_addr)) {
++ ret = true;
++ goto out;
++ }
++
+ skb_new = arp_create(ARPOP_REPLY, ETH_P_ARP, ip_src,
+ bat_priv->soft_iface, ip_dst, hw_src,
+ dat_entry->mac_addr, hw_src);
+--
+1.7.10.4
+
--- /dev/null
+From 763f413b9c74ccb25cb066408f49f07e5dd78f9b Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <ordex@autistici.org>
+Date: Tue, 7 May 2013 01:06:18 +0200
+Subject: [PATCH 6/6] batman-adv: reorder clean up routine in order to avoid
+ race conditions
+
+nc_worker accesses the originator table during its periodic
+work, but since the originator table is freed before
+stopping the worker this leads to a global protection fault.
+
+Fix this by killing the worker (in nc_free) before freeing
+the originator table.
+
+Moreover tidy up the entire clean up routine by running all
+the subcomponents freeing procedures first and then killing
+the TT and the originator tables at the end.
+
+Signed-off-by: Antonio Quartulli <ordex@autistici.org>
+Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
+---
+ main.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+diff --git a/main.c b/main.c
+index 9c620cd..1240f07 100644
+--- a/main.c
++++ b/main.c
+@@ -163,14 +163,22 @@ void batadv_mesh_free(struct net_device *soft_iface)
+ batadv_vis_quit(bat_priv);
+
+ batadv_gw_node_purge(bat_priv);
+- batadv_originator_free(bat_priv);
+ batadv_nc_free(bat_priv);
++ batadv_dat_free(bat_priv);
++ batadv_bla_free(bat_priv);
+
++ /* Free the TT and the originator tables only after having terminated
++ * all the other depending components which may use these structures for
++ * their purposes.
++ */
+ batadv_tt_free(bat_priv);
+
+- batadv_bla_free(bat_priv);
+-
+- batadv_dat_free(bat_priv);
++ /* Since the originator table clean up routine is accessing the TT
++ * tables as well, it has to be invoked after the TT tables have been
++ * freed and marked as empty. This ensures that no cleanup RCU callbacks
++ * accessing the TT data are scheduled for later execution.
++ */
++ batadv_originator_free(bat_priv);
+
+ free_percpu(bat_priv->bat_counters);
+
+--
+1.7.10.4
+