Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8b7342d6 authored by Antonio Quartulli's avatar Antonio Quartulli Committed by Sven Eckelmann
Browse files

batman-adv: check for tt_reponse packet real length 



Before accessing the TT_RESPONSE packet payload, the node has to ensure that the
packet is long enough as it would expect to be.

Reported-by: default avatarSimon Wunderlich <siwu@hrz.tu-chemnitz.de>
Signed-off-by: default avatarAntonio Quartulli <ordex@autistici.org>
Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
parent dc58fe32

net/batman-adv/routing.c

+9 −0
Original line number Diff line number Diff line
@@ -578,6 +578,7 @@ int recv_tt_query(struct sk_buff *skb, struct hard_iface *recv_if) 
{

	struct bat_priv *bat_priv = netdev_priv(recv_if->soft_iface);

	struct tt_query_packet *tt_query;

	uint16_t tt_len;

	struct ethhdr *ethhdr;



	/* drop packet if it has not necessary minimum size */
@@ -622,6 +623,14 @@ int recv_tt_query(struct sk_buff *skb, struct hard_iface *recv_if) 
			if (skb_linearize(skb) < 0)

				goto out;



			tt_len = tt_query->tt_data * sizeof(struct tt_change);



			/* Ensure we have all the claimed data */

			if (unlikely(skb_headlen(skb) <

					sizeof(struct tt_query_packet) +

					tt_len))

				goto out;



			handle_tt_response(bat_priv, tt_query);

		} else {

			bat_dbg(DBG_TT, bat_priv,