diff --git a/build_patches/changeset_35324.diff b/build_patches/changeset_35324.diff new file mode 100644 index 0000000..393e359 --- /dev/null +++ b/build_patches/changeset_35324.diff @@ -0,0 +1,146 @@ +Index: /packages/net/batman-adv/Makefile +=================================================================== +--- /packages/net/batman-adv/Makefile (revision 35323) ++++ /packages/net/batman-adv/Makefile (revision 35324) +@@ -13,5 +13,5 @@ + PKG_VERSION:=2013.0.0 + BATCTL_VERSION:=2013.0.0 +-PKG_RELEASE:=1 ++PKG_RELEASE:=2 + PKG_MD5SUM:=37f4aa02f393daad3d87cead2bc28ed9 + BATCTL_MD5SUM:=6ea4bcd8a9332d586bb06b5063f882cd +Index: /packages/net/batman-adv/patches/0001-batman-adv-fix-skb-leak-in-batadv_dat_snoop_incoming.patch +=================================================================== +--- /packages/net/batman-adv/patches/0001-batman-adv-fix-skb-leak-in-batadv_dat_snoop_incoming.patch (revision 35324) ++++ /packages/net/batman-adv/patches/0001-batman-adv-fix-skb-leak-in-batadv_dat_snoop_incoming.patch (revision 35324) +@@ -0,0 +1,33 @@ ++From 977d8c6f9253ad71e4bd8e4be2705c3bee684feb Mon Sep 17 00:00:00 2001 ++From: Matthias Schiffer ++Date: Wed, 23 Jan 2013 18:11:53 +0100 ++Subject: [PATCH 1/3] batman-adv: fix skb leak in ++ batadv_dat_snoop_incoming_arp_reply() ++ ++The callers of batadv_dat_snoop_incoming_arp_reply() assume the skb has been ++freed when it returns true; fix this by calling kfree_skb before returning as ++it is done in batadv_dat_snoop_incoming_arp_request(). ++ ++Signed-off-by: Matthias Schiffer ++Signed-off-by: Marek Lindner ++Acked-by: Antonio Quartulli ++--- ++ distributed-arp-table.c | 2 ++ ++ 1 file changed, 2 insertions(+) ++ ++diff --git a/distributed-arp-table.c b/distributed-arp-table.c ++index 7485a78..9f4cff3 100644 ++--- a/distributed-arp-table.c +++++ b/distributed-arp-table.c ++@@ -1012,6 +1012,8 @@ bool batadv_dat_snoop_incoming_arp_reply(struct batadv_priv *bat_priv, ++ */ ++ ret = !batadv_is_my_client(bat_priv, hw_dst); ++ out: +++ if (ret) +++ kfree_skb(skb); ++ /* if ret == false -> packet has to be delivered to the interface */ ++ return ret; ++ } ++-- ++1.7.10.4 ++ +Index: /packages/net/batman-adv/patches/0002-batman-adv-check-for-more-types-of-invalid-IP-addres.patch +=================================================================== +--- /packages/net/batman-adv/patches/0002-batman-adv-check-for-more-types-of-invalid-IP-addres.patch (revision 35324) ++++ /packages/net/batman-adv/patches/0002-batman-adv-check-for-more-types-of-invalid-IP-addres.patch (revision 35324) +@@ -0,0 +1,36 @@ ++From 3b24193d7cfc18f0cc005811ca4aab3479c2f1c6 Mon Sep 17 00:00:00 2001 ++From: Matthias Schiffer ++Date: Thu, 24 Jan 2013 18:18:26 +0100 ++Subject: [PATCH 2/3] batman-adv: check for more types of invalid IP addresses ++ in DAT ++ ++There are more types of IP addresses that may appear in ARP packets that we ++don't want to process. While some of these should never appear in sane ARP ++packets, a 0.0.0.0 source is used for duplicate address detection and thus seen ++quite often. ++ ++Signed-off-by: Matthias Schiffer ++Acked-by: Antonio Quartulli ++Signed-off-by: Marek Lindner ++--- ++ distributed-arp-table.c | 4 +++- ++ 1 file changed, 3 insertions(+), 1 deletion(-) ++ ++diff --git a/distributed-arp-table.c b/distributed-arp-table.c ++index 9f4cff3..be3be28 100644 ++--- a/distributed-arp-table.c +++++ b/distributed-arp-table.c ++@@ -777,7 +777,9 @@ static uint16_t batadv_arp_get_type(struct batadv_priv *bat_priv, ++ ip_src = batadv_arp_ip_src(skb, hdr_size); ++ ip_dst = batadv_arp_ip_dst(skb, hdr_size); ++ if (ipv4_is_loopback(ip_src) || ipv4_is_multicast(ip_src) || ++- ipv4_is_loopback(ip_dst) || ipv4_is_multicast(ip_dst)) +++ ipv4_is_loopback(ip_dst) || ipv4_is_multicast(ip_dst) || +++ ipv4_is_zeronet(ip_src) || ipv4_is_lbcast(ip_src) || +++ ipv4_is_zeronet(ip_dst) || ipv4_is_lbcast(ip_dst)) ++ goto out; ++ ++ type = ntohs(arphdr->ar_op); ++-- ++1.7.10.4 ++ +Index: /packages/net/batman-adv/patches/0003-batman-adv-filter-ARP-packets-with-invalid-MAC-addre.patch +=================================================================== +--- /packages/net/batman-adv/patches/0003-batman-adv-filter-ARP-packets-with-invalid-MAC-addre.patch (revision 35324) ++++ /packages/net/batman-adv/patches/0003-batman-adv-filter-ARP-packets-with-invalid-MAC-addre.patch (revision 35324) +@@ -0,0 +1,51 @@ ++From ab361a9ccc584e7501c06bfe1c00cb0411feebaf Mon Sep 17 00:00:00 2001 ++From: Matthias Schiffer ++Date: Thu, 24 Jan 2013 18:18:27 +0100 ++Subject: [PATCH 3/3] batman-adv: filter ARP packets with invalid MAC ++ addresses in DAT ++ ++We never want multicast MAC addresses in the Distributed ARP Table, so it's ++best to completely ignore ARP packets containing them where we expect unicast ++addresses. ++ ++Signed-off-by: Matthias Schiffer ++Acked-by: Antonio Quartulli ++Signed-off-by: Marek Lindner ++--- ++ distributed-arp-table.c | 13 +++++++++++++ ++ 1 file changed, 13 insertions(+) ++ ++diff --git a/distributed-arp-table.c b/distributed-arp-table.c ++index be3be28..ea0bd31 100644 ++--- a/distributed-arp-table.c +++++ b/distributed-arp-table.c ++@@ -738,6 +738,7 @@ static uint16_t batadv_arp_get_type(struct batadv_priv *bat_priv, ++ struct arphdr *arphdr; ++ struct ethhdr *ethhdr; ++ __be32 ip_src, ip_dst; +++ uint8_t *hw_src, *hw_dst; ++ uint16_t type = 0; ++ ++ /* pull the ethernet header */ ++@@ -782,6 +783,18 @@ static uint16_t batadv_arp_get_type(struct batadv_priv *bat_priv, ++ ipv4_is_zeronet(ip_dst) || ipv4_is_lbcast(ip_dst)) ++ goto out; ++ +++ hw_src = batadv_arp_hw_src(skb, hdr_size); +++ if (is_zero_ether_addr(hw_src) || is_multicast_ether_addr(hw_src)) +++ goto out; +++ +++ /* we don't care about the destination MAC address in ARP requests */ +++ if (arphdr->ar_op != htons(ARPOP_REQUEST)) { +++ hw_dst = batadv_arp_hw_dst(skb, hdr_size); +++ if (is_zero_ether_addr(hw_dst) || +++ is_multicast_ether_addr(hw_dst)) +++ goto out; +++ } +++ ++ type = ntohs(arphdr->ar_op); ++ out: ++ return type; ++-- ++1.7.10.4 ++ diff --git a/build_patches/changeset_35609.diff b/build_patches/changeset_35609.diff new file mode 100644 index 0000000..2ab43b6 --- /dev/null +++ b/build_patches/changeset_35609.diff @@ -0,0 +1,87 @@ +Index: /packages/net/batman-adv/Makefile +=================================================================== +--- /packages/net/batman-adv/Makefile (revision 35608) ++++ /packages/net/batman-adv/Makefile (revision 35609) +@@ -13,5 +13,5 @@ + PKG_VERSION:=2013.0.0 + BATCTL_VERSION:=2013.0.0 +-PKG_RELEASE:=2 ++PKG_RELEASE:=3 + PKG_MD5SUM:=37f4aa02f393daad3d87cead2bc28ed9 + BATCTL_MD5SUM:=6ea4bcd8a9332d586bb06b5063f882cd +Index: /packages/net/batman-adv/patches/0001-batman-adv-fix-skb-leak-in-batadv_dat_snoop_incoming.patch +=================================================================== +--- /packages/net/batman-adv/patches/0001-batman-adv-fix-skb-leak-in-batadv_dat_snoop_incoming.patch (revision 35608) ++++ /packages/net/batman-adv/patches/0001-batman-adv-fix-skb-leak-in-batadv_dat_snoop_incoming.patch (revision 35609) +@@ -2,5 +2,5 @@ + From: Matthias Schiffer + Date: Wed, 23 Jan 2013 18:11:53 +0100 +-Subject: [PATCH 1/3] batman-adv: fix skb leak in ++Subject: [PATCH 1/4] batman-adv: fix skb leak in + batadv_dat_snoop_incoming_arp_reply() + +Index: /packages/net/batman-adv/patches/0002-batman-adv-check-for-more-types-of-invalid-IP-addres.patch +=================================================================== +--- /packages/net/batman-adv/patches/0002-batman-adv-check-for-more-types-of-invalid-IP-addres.patch (revision 35608) ++++ /packages/net/batman-adv/patches/0002-batman-adv-check-for-more-types-of-invalid-IP-addres.patch (revision 35609) +@@ -2,5 +2,5 @@ + From: Matthias Schiffer + Date: Thu, 24 Jan 2013 18:18:26 +0100 +-Subject: [PATCH 2/3] batman-adv: check for more types of invalid IP addresses ++Subject: [PATCH 2/4] batman-adv: check for more types of invalid IP addresses + in DAT + +Index: /packages/net/batman-adv/patches/0003-batman-adv-filter-ARP-packets-with-invalid-MAC-addre.patch +=================================================================== +--- /packages/net/batman-adv/patches/0003-batman-adv-filter-ARP-packets-with-invalid-MAC-addre.patch (revision 35608) ++++ /packages/net/batman-adv/patches/0003-batman-adv-filter-ARP-packets-with-invalid-MAC-addre.patch (revision 35609) +@@ -2,5 +2,5 @@ + From: Matthias Schiffer + Date: Thu, 24 Jan 2013 18:18:27 +0100 +-Subject: [PATCH 3/3] batman-adv: filter ARP packets with invalid MAC ++Subject: [PATCH 3/4] batman-adv: filter ARP packets with invalid MAC + addresses in DAT + +Index: /packages/net/batman-adv/patches/0004-batman-adv-Fix-NULL-pointer-dereference-in-DAT-hash-.patch +=================================================================== +--- /packages/net/batman-adv/patches/0004-batman-adv-Fix-NULL-pointer-dereference-in-DAT-hash-.patch (revision 35609) ++++ /packages/net/batman-adv/patches/0004-batman-adv-Fix-NULL-pointer-dereference-in-DAT-hash-.patch (revision 35609) +@@ -0,0 +1,38 @@ ++From 9f1fb6914d66e282c2b1f51aa2d4a231c84df84d Mon Sep 17 00:00:00 2001 ++From: Pau Koning ++Date: Fri, 15 Feb 2013 00:18:56 +0100 ++Subject: [PATCH 4/4] batman-adv: Fix NULL pointer dereference in DAT hash ++ collision avoidance ++ ++An entry in DAT with the hashed position of 0 can cause a NULL pointer ++dereference when the first entry is checked by batadv_choose_next_candidate. ++This first candidate automatically has the max value of 0 and the max_orig_node ++of NULL. Not checking max_orig_node for NULL in batadv_is_orig_node_eligible ++will lead to a NULL pointer dereference when checking for the lowest address. ++ ++This problem was added in 785ea1144182c341b8b85b0f8180291839d176a8 ++("batman-adv: Distributed ARP Table - create DHT helper functions"). ++ ++Signed-off-by: Pau Koning ++Signed-off-by: David S. Miller ++Signed-off-by: Marek Lindner ++--- ++ distributed-arp-table.c | 2 +- ++ 1 file changed, 1 insertion(+), 1 deletion(-) ++ ++diff --git a/distributed-arp-table.c b/distributed-arp-table.c ++index ea0bd31..761a590 100644 ++--- a/distributed-arp-table.c +++++ b/distributed-arp-table.c ++@@ -440,7 +440,7 @@ static bool batadv_is_orig_node_eligible(struct batadv_dat_candidate *res, ++ /* this is an hash collision with the temporary selected node. Choose ++ * the one with the lowest address ++ */ ++- if ((tmp_max == max) && +++ if ((tmp_max == max) && max_orig_node && ++ (batadv_compare_eth(candidate->orig, max_orig_node->orig) > 0)) ++ goto out; ++ ++-- ++1.7.10.4 ++ diff --git a/buildscript b/buildscript index dded182..88388bd 100755 --- a/buildscript +++ b/buildscript @@ -28,6 +28,12 @@ prepare() { #backport ath9k-fixes from openwrt r35786 cp build_patches/mac80211/* $target/package/mac80211/patches + #batman-adv: distributed arp table fixes + cat build_patches/changeset_35324.diff | patch -p1 -d $target/feeds + + #batman-adv: fix dat NULL pointer dereference + cat build_patches/changeset_35609.diff | patch -p1 -d $target/feeds + board_prepare }