Staging: batman-adv: ensure that eth_type_trans gets linear memory

eth_type_trans tries to pull data with the length of the ethernet header from the skb. We only ensured that enough data for the first ethernet header and the batman header is available in non-paged memory of the skb and not for the ethernet after the batman header. eth_type_trans would fail sometimes with drivers which don't ensure that all there data is perfectly linearised. The failure was noticed through a kernel bug Oops generated by the skb_pull inside eth_type_trans. Reported-by: Rafal Lesniak <lesniak@eresi-project.org> Signed-off-by: Marek Lindner <lindner_marek@yahoo.de> Signed-off-by: Sven Eckelmann <sven.eckelmann@gmx.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Marek Lindner <lindner_marek@yahoo.de> 2010-11-22 06:34:49 -0500
committer: Greg Kroah-Hartman <gregkh@suse.de> 2010-11-29 13:53:14 -0500
commit: b6faaae1a15a352d68b3e3cd8b840e56709820bf (patch)
tree: 744d812b905df6518c39c103511c6b16ad7bd328 /drivers/staging
parent: 9ee898739b7e4d292abed911008b3f91b442118a (diff)
1 files changed, 10 insertions, 4 deletions
diff --git a/drivers/staging/batman-adv/soft-interface.c b/drivers/staging/batman-adv/soft-interface.c
index 3904db9ce7b..0e996181daf 100644
--- a/drivers/staging/batman-adv/soft-interface.c
+++ b/drivers/staging/batman-adv/soft-interface.c
@@ -194,14 +194,15 @@ void interface_rx(struct net_device *soft_iface,
        struct bat_priv *priv = netdev_priv(soft_iface);
        /* check if enough space is available for pulling, and pull */
-        if (!pskb_may_pull(skb, hdr_size)) {
+        if (!pskb_may_pull(skb, hdr_size))
-                kfree_skb(skb);
+                goto dropped;
-                return;
-        }
        skb_pull_rcsum(skb, hdr_size);
 /*      skb_set_mac_header(skb, -sizeof(struct ethhdr));*/
        /* skb->dev & skb->pkt_type are set here */
+        if (unlikely(!pskb_may_pull(skb, ETH_HLEN)))
+                goto dropped;
        skb->protocol = eth_type_trans(skb, soft_iface);
        /* should not be neccesary anymore as we use skb_pull_rcsum()
@@ -216,6 +217,11 @@ void interface_rx(struct net_device *soft_iface,
        soft_iface->last_rx = jiffies;
        netif_rx(skb);
+        return;
+dropped:
+        kfree_skb(skb);
+        return;
 }
 #ifdef HAVE_NET_DEVICE_OPS
author	Marek Lindner <lindner_marek@yahoo.de>	2010-11-22 06:34:49 -0500
committer	Greg Kroah-Hartman <gregkh@suse.de>	2010-11-29 13:53:14 -0500
commit	b6faaae1a15a352d68b3e3cd8b840e56709820bf (patch)
tree	744d812b905df6518c39c103511c6b16ad7bd328 /drivers/staging
parent	9ee898739b7e4d292abed911008b3f91b442118a (diff)

diff --git a/drivers/staging/batman-adv/soft-interface.c b/drivers/staging/batman-adv/soft-interface.c index 3904db9ce7b..0e996181daf 100644 --- a/drivers/staging/batman-adv/soft-interface.c +++ b/drivers/staging/batman-adv/soft-interface.c
@@ -194,14 +194,15 @@ void interface_rx(struct net_device *soft_iface,
194	struct bat_priv *priv = netdev_priv(soft_iface);	194	struct bat_priv *priv = netdev_priv(soft_iface);
195		195
196	/* check if enough space is available for pulling, and pull */	196	/* check if enough space is available for pulling, and pull */
197	if (!pskb_may_pull(skb, hdr_size)) {	197	if (!pskb_may_pull(skb, hdr_size))
198	kfree_skb(skb);	198	goto dropped;
199	return;	199
200	}
201	skb_pull_rcsum(skb, hdr_size);	200	skb_pull_rcsum(skb, hdr_size);
202	/* skb_set_mac_header(skb, -sizeof(struct ethhdr));*/	201	/* skb_set_mac_header(skb, -sizeof(struct ethhdr));*/
203		202
204	/* skb->dev & skb->pkt_type are set here */	203	/* skb->dev & skb->pkt_type are set here */
		204	if (unlikely(!pskb_may_pull(skb, ETH_HLEN)))
		205	goto dropped;
205	skb->protocol = eth_type_trans(skb, soft_iface);	206	skb->protocol = eth_type_trans(skb, soft_iface);
206		207
207	/* should not be neccesary anymore as we use skb_pull_rcsum()	208	/* should not be neccesary anymore as we use skb_pull_rcsum()
@@ -216,6 +217,11 @@ void interface_rx(struct net_device *soft_iface,
216	soft_iface->last_rx = jiffies;	217	soft_iface->last_rx = jiffies;
217		218
218	netif_rx(skb);	219	netif_rx(skb);
		220	return;
		221
		222	dropped:
		223	kfree_skb(skb);
		224	return;
219	}	225	}
220		226
221	#ifdef HAVE_NET_DEVICE_OPS	227	#ifdef HAVE_NET_DEVICE_OPS