batman-adv: Only read OGM tvlv_len after buffer len check - kernel/linux.git

diff options

author	Sven Eckelmann <sven@narfation.org>	2019-08-22 09:55:36 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2019-09-16 09:19:33 +0300
commit	6c59cb113e8c2082deab865d4ffb694cdfcbf61f (patch)
tree	0011c5d7087156811cc62fa75dbeb7ecbe896613 /scripts
parent	cffe4e6087e84d42298d4872f7a86afe0065fae2 (diff)
download	linux-6c59cb113e8c2082deab865d4ffb694cdfcbf61f.tar.xz

batman-adv: Only read OGM tvlv_len after buffer len check

commit a15d56a60760aa9dbe26343b9a0ac5228f35d445 upstream. Multiple batadv_ogm_packet can be stored in an skbuff. The functions batadv_iv_ogm_send_to_if()/batadv_iv_ogm_receive() use batadv_iv_ogm_aggr_packet() to check if there is another additional batadv_ogm_packet in the skb or not before they continue processing the packet. The length for such an OGM is BATADV_OGM_HLEN + batadv_ogm_packet->tvlv_len. The check must first check that at least BATADV_OGM_HLEN bytes are available before it accesses tvlv_len (which is part of the header. Otherwise it might try read outside of the currently available skbuff to get the content of tvlv_len. Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure") Reported-by: syzbot+355cab184197dbbfa384@syzkaller.appspotmail.com Signed-off-by: Sven Eckelmann <sven@narfation.org> Acked-by: Antonio Quartulli <a@unstable.cc> Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Diffstat (limited to 'scripts')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: