From 2c8de62f4a686990744c0e9d8d88a0a5aae0b2d3 Mon Sep 17 00:00:00 2001 From: Sven Eckelmann Date: Thu, 8 Nov 2018 00:00:26 +0100 Subject: [PATCH] batman-adv: Merge bugfixes from 2018.4 * Use explicit tvlv padding for ELP packets * Expand merged fragment buffer for full packet Signed-off-by: Sven Eckelmann --- batman-adv/Makefile | 2 +- ...xplicit-tvlv-padding-for-ELP-packets.patch | 58 +++++++++++++++++++ ...d-merged-fragment-buffer-for-full-pa.patch | 44 ++++++++++++++ 3 files changed, 103 insertions(+), 1 deletion(-) create mode 100644 batman-adv/patches/0056-batman-adv-Use-explicit-tvlv-padding-for-ELP-packets.patch create mode 100644 batman-adv/patches/0057-batman-adv-Expand-merged-fragment-buffer-for-full-pa.patch diff --git a/batman-adv/Makefile b/batman-adv/Makefile index 10d77c2..09c3692 100644 --- a/batman-adv/Makefile +++ b/batman-adv/Makefile @@ -11,7 +11,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=batman-adv PKG_VERSION:=2016.5 -PKG_RELEASE:=10 +PKG_RELEASE:=11 PKG_MD5SUM:=6717a933a08dd2a01b00df30cb9f16a8 PKG_HASH:=d0a0fc90c4f410b57d043215e253bb0b855efa5edbe165d87c17bfdcfafd0db7 diff --git a/batman-adv/patches/0056-batman-adv-Use-explicit-tvlv-padding-for-ELP-packets.patch b/batman-adv/patches/0056-batman-adv-Use-explicit-tvlv-padding-for-ELP-packets.patch new file mode 100644 index 0000000..44f68ce --- /dev/null +++ b/batman-adv/patches/0056-batman-adv-Use-explicit-tvlv-padding-for-ELP-packets.patch @@ -0,0 +1,58 @@ +From: Sven Eckelmann +Date: Tue, 30 Oct 2018 12:17:10 +0100 +Subject: [PATCH] batman-adv: Use explicit tvlv padding for ELP packets + +The announcement messages of batman-adv COMPAT_VERSION 15 have the +possibility to announce additional information via a dynamic TVLV part. +This part is optional for the ELP packets and currently not parsed by the +Linux implementation. Still out-of-tree versions are using it to transport +things like neighbor hashes to optimize the rebroadcast behavior. + +Since the ELP broadcast packets are smaller than the minimal ethernet +packet, it often has to be padded. This is often done (as specified in +RFC894) with octets of zero and thus work perfectly fine with the TVLV +part (making it a zero length and thus empty). But not all ethernet +compatible hardware seems to follow this advice. To avoid ambiguous +situations when parsing the TVLV header, just force the 4 bytes (TVLV +length + padding) after the required ELP header to zero. + +Fixes: a4b88af77e28 ("batman-adv: ELP - adding basic infrastructure") +Reported-by: Linus Lüssing +Signed-off-by: Sven Eckelmann + +Origin: backport, https://git.open-mesh.org/batman-adv.git/commit/974337ee9773c4bd0a2d5c322306cf2bea445e11 +--- + net/batman-adv/bat_v_elp.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/net/batman-adv/bat_v_elp.c b/net/batman-adv/bat_v_elp.c +index 2ec0ecab0493ff88fdc01e55c8557de5b772e8bf..08c0809fca7de1fe51727652a2e870ddfa74dc13 100644 +--- a/net/batman-adv/bat_v_elp.c ++++ b/net/batman-adv/bat_v_elp.c +@@ -338,21 +338,23 @@ out: + */ + int batadv_v_elp_iface_enable(struct batadv_hard_iface *hard_iface) + { ++ static const size_t tvlv_padding = sizeof(__be32); + struct batadv_elp_packet *elp_packet; + unsigned char *elp_buff; + u32 random_seqno; + size_t size; + int res = -ENOMEM; + +- size = ETH_HLEN + NET_IP_ALIGN + BATADV_ELP_HLEN; ++ size = ETH_HLEN + NET_IP_ALIGN + BATADV_ELP_HLEN + tvlv_padding; + hard_iface->bat_v.elp_skb = dev_alloc_skb(size); + if (!hard_iface->bat_v.elp_skb) + goto out; + + skb_reserve(hard_iface->bat_v.elp_skb, ETH_HLEN + NET_IP_ALIGN); +- elp_buff = skb_put(hard_iface->bat_v.elp_skb, BATADV_ELP_HLEN); ++ elp_buff = skb_put(hard_iface->bat_v.elp_skb, ++ BATADV_ELP_HLEN + tvlv_padding); + elp_packet = (struct batadv_elp_packet *)elp_buff; +- memset(elp_packet, 0, BATADV_ELP_HLEN); ++ memset(elp_packet, 0, BATADV_ELP_HLEN + tvlv_padding); + + elp_packet->packet_type = BATADV_ELP; + elp_packet->version = BATADV_COMPAT_VERSION; diff --git a/batman-adv/patches/0057-batman-adv-Expand-merged-fragment-buffer-for-full-pa.patch b/batman-adv/patches/0057-batman-adv-Expand-merged-fragment-buffer-for-full-pa.patch new file mode 100644 index 0000000..479bfb8 --- /dev/null +++ b/batman-adv/patches/0057-batman-adv-Expand-merged-fragment-buffer-for-full-pa.patch @@ -0,0 +1,44 @@ +From: Sven Eckelmann +Date: Wed, 7 Nov 2018 23:09:12 +0100 +Subject: [PATCH] batman-adv: Expand merged fragment buffer for full packet + +The complete size ("total_size") of the fragmented packet is stored in the +fragment header and in the size of the fragment chain. When the fragments +are ready for merge, the skbuff's tail of the first fragment is expanded to +have enough room after the data pointer for at least total_size. This means +that it gets expanded by total_size - first_skb->len. + +But this is ignoring the fact that after expanding the buffer, the fragment +header is pulled by from this buffer. Assuming that the tailroom of the +buffer was already 0, the buffer after the data pointer of the skbuff is +now only total_size - len(fragment_header) large. When the merge function +is then processing the remaining fragments, the code to copy the data over +to the merged skbuff will cause an skb_over_panic when it tries to actually +put enough data to fill the total_size bytes of the packet. + +The size of the skb_pull must therefore also be taken into account when the +buffer's tailroom is expanded. + +Fixes: 9b3eab61754d ("batman-adv: Receive fragmented packets and merge") +Reported-by: Martin Weinelt +Co-authored-by: Linus Lüssing +Signed-off-by: Sven Eckelmann + +Origin: other, https://patchwork.open-mesh.org/patch/17616/ +--- + net/batman-adv/fragmentation.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c +index 5969d3705ec08a96438ecce06577d35291600753..f6a5196d0370517716dfc9e1f80fb878a068801d 100644 +--- a/net/batman-adv/fragmentation.c ++++ b/net/batman-adv/fragmentation.c +@@ -274,7 +274,7 @@ batadv_frag_merge_packets(struct hlist_head *chain) + kfree(entry); + + packet = (struct batadv_frag_packet *)skb_out->data; +- size = ntohs(packet->total_size); ++ size = ntohs(packet->total_size) + hdr_size; + + /* Make room for the rest of the fragments. */ + if (pskb_expand_head(skb_out, 0, size - skb_out->len, GFP_ATOMIC) < 0) { -- 2.30.2