diff options
| author | Antonio Quartulli <antonio@meshcoding.com> | 2014-02-15 15:50:37 -0500 |
|---|---|---|
| committer | Antonio Quartulli <antonio@meshcoding.com> | 2014-02-17 11:17:02 -0500 |
| commit | 70b271a78beba787155d6696aacd7c4d4a251c50 (patch) | |
| tree | bb8f4e8e8f9833d993b8f09638a063d6290f5281 /net/batman-adv/send.c | |
| parent | a5a5cb8cab526af2f6cbe9715f8ca843192f0d81 (diff) | |
batman-adv: fix potential kernel paging error for unicast transmissions
batadv_send_skb_prepare_unicast(_4addr) might reallocate the
skb's data. If it does then our ethhdr pointer is not valid
anymore in batadv_send_skb_unicast(), resulting in a kernel
paging error.
Fixing this by refetching the ethhdr pointer after the
potential reallocation.
Signed-off-by: Linus Lüssing <linus.luessing@web.de>
Signed-off-by: Antonio Quartulli <antonio@meshcoding.com>
Diffstat (limited to 'net/batman-adv/send.c')
| -rw-r--r-- | net/batman-adv/send.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/net/batman-adv/send.c b/net/batman-adv/send.c index 579f5f00a385..843febd1e519 100644 --- a/net/batman-adv/send.c +++ b/net/batman-adv/send.c | |||
| @@ -254,9 +254,9 @@ static int batadv_send_skb_unicast(struct batadv_priv *bat_priv, | |||
| 254 | struct batadv_orig_node *orig_node, | 254 | struct batadv_orig_node *orig_node, |
| 255 | unsigned short vid) | 255 | unsigned short vid) |
| 256 | { | 256 | { |
| 257 | struct ethhdr *ethhdr = (struct ethhdr *)skb->data; | 257 | struct ethhdr *ethhdr; |
| 258 | struct batadv_unicast_packet *unicast_packet; | 258 | struct batadv_unicast_packet *unicast_packet; |
| 259 | int ret = NET_XMIT_DROP; | 259 | int ret = NET_XMIT_DROP, hdr_size; |
| 260 | 260 | ||
| 261 | if (!orig_node) | 261 | if (!orig_node) |
| 262 | goto out; | 262 | goto out; |
| @@ -265,12 +265,16 @@ static int batadv_send_skb_unicast(struct batadv_priv *bat_priv, | |||
| 265 | case BATADV_UNICAST: | 265 | case BATADV_UNICAST: |
| 266 | if (!batadv_send_skb_prepare_unicast(skb, orig_node)) | 266 | if (!batadv_send_skb_prepare_unicast(skb, orig_node)) |
| 267 | goto out; | 267 | goto out; |
| 268 | |||
| 269 | hdr_size = sizeof(*unicast_packet); | ||
| 268 | break; | 270 | break; |
| 269 | case BATADV_UNICAST_4ADDR: | 271 | case BATADV_UNICAST_4ADDR: |
| 270 | if (!batadv_send_skb_prepare_unicast_4addr(bat_priv, skb, | 272 | if (!batadv_send_skb_prepare_unicast_4addr(bat_priv, skb, |
| 271 | orig_node, | 273 | orig_node, |
| 272 | packet_subtype)) | 274 | packet_subtype)) |
| 273 | goto out; | 275 | goto out; |
| 276 | |||
| 277 | hdr_size = sizeof(struct batadv_unicast_4addr_packet); | ||
| 274 | break; | 278 | break; |
| 275 | default: | 279 | default: |
| 276 | /* this function supports UNICAST and UNICAST_4ADDR only. It | 280 | /* this function supports UNICAST and UNICAST_4ADDR only. It |
| @@ -279,6 +283,7 @@ static int batadv_send_skb_unicast(struct batadv_priv *bat_priv, | |||
| 279 | goto out; | 283 | goto out; |
| 280 | } | 284 | } |
| 281 | 285 | ||
| 286 | ethhdr = (struct ethhdr *)(skb->data + hdr_size); | ||
| 282 | unicast_packet = (struct batadv_unicast_packet *)skb->data; | 287 | unicast_packet = (struct batadv_unicast_packet *)skb->data; |
| 283 | 288 | ||
| 284 | /* inform the destination node that we are still missing a correct route | 289 | /* inform the destination node that we are still missing a correct route |