batman-adv: verify tt len does not exceed packet len

Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
SVN-Revision: 35906

diff --git a/net/batman-adv/Makefile b/net/batman-adv/Makefile
index 5b797d5d2c240494e0c007f76d91fc984a5ddc70..efe7ed64c74a3759031f289a713ad9f306d6e342 100644 (file)
--- a/net/batman-adv/Makefile
+++ b/net/batman-adv/Makefile
@@ -12,7 +12,7 @@ PKG_NAME:=batman-adv
 
 PKG_VERSION:=2013.1.0
 BATCTL_VERSION:=2013.1.0
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 PKG_MD5SUM:=fe1fd32eddde1f91575d7a7ec21d5782
 BATCTL_MD5SUM:=767bf36c77c517e1d321169bf9a7fae5
 

diff --git a/net/batman-adv/patches/0001-batman-adv-verify-tt-len-does-not-exceed-packet-len.patch b/net/batman-adv/patches/0001-batman-adv-verify-tt-len-does-not-exceed-packet-len.patch
new file mode 100644 (file)
index 0000000..37c6532
--- /dev/null
+++ b/net/batman-adv/patches/0001-batman-adv-verify-tt-len-does-not-exceed-packet-len.patch
@@ -0,0 +1,42 @@
+From e56c79f4e863436d0fc6c48fed0db09b7a49e565 Mon Sep 17 00:00:00 2001
+From: Marek Lindner <lindner_marek@yahoo.de>
+Date: Mon, 4 Mar 2013 10:39:49 +0800
+Subject: [PATCH] batman-adv: verify tt len does not exceed packet len
+
+batadv_iv_ogm_process() accesses the packet using the tt_num_changes
+attribute regardless of the real packet len (assuming the length check
+was done before). Therefore a length check is needed to avoid reading
+random memory.
+
+Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
+---
+ bat_iv_ogm.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/bat_iv_ogm.c b/bat_iv_ogm.c
+index 72fe1bb..d5be889 100644
+--- a/bat_iv_ogm.c
++++ b/bat_iv_ogm.c
+@@ -1292,7 +1292,8 @@ static int batadv_iv_ogm_receive(struct sk_buff *skb,
+       batadv_ogm_packet = (struct batadv_ogm_packet *)packet_buff;
+ 
+       /* unpack the aggregated packets and process them one by one */
+-      do {
++      while (batadv_iv_ogm_aggr_packet(buff_pos, packet_len,
++                                       batadv_ogm_packet->tt_num_changes)) {
+               tt_buff = packet_buff + buff_pos + BATADV_OGM_HLEN;
+ 
+               batadv_iv_ogm_process(ethhdr, batadv_ogm_packet, tt_buff,
+@@ -1303,8 +1304,7 @@ static int batadv_iv_ogm_receive(struct sk_buff *skb,
+ 
+               packet_pos = packet_buff + buff_pos;
+               batadv_ogm_packet = (struct batadv_ogm_packet *)packet_pos;
+-      } while (batadv_iv_ogm_aggr_packet(buff_pos, packet_len,
+-                                         batadv_ogm_packet->tt_num_changes));
++      }
+ 
+       kfree_skb(skb);
+       return NET_RX_SUCCESS;
+-- 
+1.7.10.4
+