batman-adv: fix skb data assignment

Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
git-svn-id: svn://svn.openwrt.org/openwrt/packages/net/batman-adv@32386 3c298f89-4303-0410-b956-a3cf2f4a3e73

diff --git a/patches/0001-batman-adv-fix-skb-data-assignment.patch b/patches/0001-batman-adv-fix-skb-data-assignment.patch
new file mode 100644 (file)
index 0000000..e30f229
--- /dev/null
+++ b/patches/0001-batman-adv-fix-skb-data-assignment.patch
@@ -0,0 +1,35 @@
+From c7d05ee2b60370392d9c7bb1b764fd36b5aec81b Mon Sep 17 00:00:00 2001
+From: Antonio Quartulli <ordex@autistici.org>
+Date: Thu, 14 Jun 2012 22:21:28 +0200
+Subject: [PATCH] batman-adv: fix skb->data assignment
+
+skb_linearize(skb) possibly rearranges the skb internal data and then changes
+the skb->data pointer value. For this reason any other pointer in the code that
+was assigned skb->data before invoking skb_linearise(skb) must be re-assigned.
+
+In the current tt_query message handling code this is not done and therefore, in
+case of skb linearization, the pointer used to handle the packet header ends up
+in pointing to poisoned memory. The packet is then dropped but the
+translation-table mechanism is corrupted.
+
+Signed-off-by: Antonio Quartulli <ordex@autistici.org>
+---
+ routing.c |    2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+diff --git a/routing.c b/routing.c
+index 840e2c6..015471d 100644
+--- a/routing.c
++++ b/routing.c
+@@ -617,6 +617,8 @@ int recv_tt_query(struct sk_buff *skb, struct hard_iface *recv_if)
+                        * changes */
+                       if (skb_linearize(skb) < 0)
+                               goto out;
++                      /* skb_linearize() possibly changed skb->data */
++                      tt_query = (struct tt_query_packet *)skb->data;
+ 
+                       tt_len = tt_query->tt_data * sizeof(struct tt_change);
+ 
+-- 
+1.7.9.1
+