batman-adv: Merge bugfixes from 2018.4
* Use explicit tvlv padding for ELP packets * Expand merged fragment buffer for full packet Signed-off-by: Sven Eckelmann <sven@narfation.org>
This commit is contained in:
parent
2ac8e7b42b
commit
2c8de62f4a
|
@ -11,7 +11,7 @@ include $(TOPDIR)/rules.mk
|
|||
PKG_NAME:=batman-adv
|
||||
|
||||
PKG_VERSION:=2016.5
|
||||
PKG_RELEASE:=10
|
||||
PKG_RELEASE:=11
|
||||
PKG_MD5SUM:=6717a933a08dd2a01b00df30cb9f16a8
|
||||
PKG_HASH:=d0a0fc90c4f410b57d043215e253bb0b855efa5edbe165d87c17bfdcfafd0db7
|
||||
|
||||
|
|
|
@ -0,0 +1,58 @@
|
|||
From: Sven Eckelmann <sven@narfation.org>
|
||||
Date: Tue, 30 Oct 2018 12:17:10 +0100
|
||||
Subject: [PATCH] batman-adv: Use explicit tvlv padding for ELP packets
|
||||
|
||||
The announcement messages of batman-adv COMPAT_VERSION 15 have the
|
||||
possibility to announce additional information via a dynamic TVLV part.
|
||||
This part is optional for the ELP packets and currently not parsed by the
|
||||
Linux implementation. Still out-of-tree versions are using it to transport
|
||||
things like neighbor hashes to optimize the rebroadcast behavior.
|
||||
|
||||
Since the ELP broadcast packets are smaller than the minimal ethernet
|
||||
packet, it often has to be padded. This is often done (as specified in
|
||||
RFC894) with octets of zero and thus work perfectly fine with the TVLV
|
||||
part (making it a zero length and thus empty). But not all ethernet
|
||||
compatible hardware seems to follow this advice. To avoid ambiguous
|
||||
situations when parsing the TVLV header, just force the 4 bytes (TVLV
|
||||
length + padding) after the required ELP header to zero.
|
||||
|
||||
Fixes: a4b88af77e28 ("batman-adv: ELP - adding basic infrastructure")
|
||||
Reported-by: Linus Lüssing <linus.luessing@c0d3.blue>
|
||||
Signed-off-by: Sven Eckelmann <sven@narfation.org>
|
||||
|
||||
Origin: backport, https://git.open-mesh.org/batman-adv.git/commit/974337ee9773c4bd0a2d5c322306cf2bea445e11
|
||||
---
|
||||
net/batman-adv/bat_v_elp.c | 8 +++++---
|
||||
1 file changed, 5 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/net/batman-adv/bat_v_elp.c b/net/batman-adv/bat_v_elp.c
|
||||
index 2ec0ecab0493ff88fdc01e55c8557de5b772e8bf..08c0809fca7de1fe51727652a2e870ddfa74dc13 100644
|
||||
--- a/net/batman-adv/bat_v_elp.c
|
||||
+++ b/net/batman-adv/bat_v_elp.c
|
||||
@@ -338,21 +338,23 @@ out:
|
||||
*/
|
||||
int batadv_v_elp_iface_enable(struct batadv_hard_iface *hard_iface)
|
||||
{
|
||||
+ static const size_t tvlv_padding = sizeof(__be32);
|
||||
struct batadv_elp_packet *elp_packet;
|
||||
unsigned char *elp_buff;
|
||||
u32 random_seqno;
|
||||
size_t size;
|
||||
int res = -ENOMEM;
|
||||
|
||||
- size = ETH_HLEN + NET_IP_ALIGN + BATADV_ELP_HLEN;
|
||||
+ size = ETH_HLEN + NET_IP_ALIGN + BATADV_ELP_HLEN + tvlv_padding;
|
||||
hard_iface->bat_v.elp_skb = dev_alloc_skb(size);
|
||||
if (!hard_iface->bat_v.elp_skb)
|
||||
goto out;
|
||||
|
||||
skb_reserve(hard_iface->bat_v.elp_skb, ETH_HLEN + NET_IP_ALIGN);
|
||||
- elp_buff = skb_put(hard_iface->bat_v.elp_skb, BATADV_ELP_HLEN);
|
||||
+ elp_buff = skb_put(hard_iface->bat_v.elp_skb,
|
||||
+ BATADV_ELP_HLEN + tvlv_padding);
|
||||
elp_packet = (struct batadv_elp_packet *)elp_buff;
|
||||
- memset(elp_packet, 0, BATADV_ELP_HLEN);
|
||||
+ memset(elp_packet, 0, BATADV_ELP_HLEN + tvlv_padding);
|
||||
|
||||
elp_packet->packet_type = BATADV_ELP;
|
||||
elp_packet->version = BATADV_COMPAT_VERSION;
|
|
@ -0,0 +1,44 @@
|
|||
From: Sven Eckelmann <sven@narfation.org>
|
||||
Date: Wed, 7 Nov 2018 23:09:12 +0100
|
||||
Subject: [PATCH] batman-adv: Expand merged fragment buffer for full packet
|
||||
|
||||
The complete size ("total_size") of the fragmented packet is stored in the
|
||||
fragment header and in the size of the fragment chain. When the fragments
|
||||
are ready for merge, the skbuff's tail of the first fragment is expanded to
|
||||
have enough room after the data pointer for at least total_size. This means
|
||||
that it gets expanded by total_size - first_skb->len.
|
||||
|
||||
But this is ignoring the fact that after expanding the buffer, the fragment
|
||||
header is pulled by from this buffer. Assuming that the tailroom of the
|
||||
buffer was already 0, the buffer after the data pointer of the skbuff is
|
||||
now only total_size - len(fragment_header) large. When the merge function
|
||||
is then processing the remaining fragments, the code to copy the data over
|
||||
to the merged skbuff will cause an skb_over_panic when it tries to actually
|
||||
put enough data to fill the total_size bytes of the packet.
|
||||
|
||||
The size of the skb_pull must therefore also be taken into account when the
|
||||
buffer's tailroom is expanded.
|
||||
|
||||
Fixes: 9b3eab61754d ("batman-adv: Receive fragmented packets and merge")
|
||||
Reported-by: Martin Weinelt <martin@darmstadt.freifunk.net>
|
||||
Co-authored-by: Linus Lüssing <linus.luessing@c0d3.blue>
|
||||
Signed-off-by: Sven Eckelmann <sven@narfation.org>
|
||||
|
||||
Origin: other, https://patchwork.open-mesh.org/patch/17616/
|
||||
---
|
||||
net/batman-adv/fragmentation.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
|
||||
index 5969d3705ec08a96438ecce06577d35291600753..f6a5196d0370517716dfc9e1f80fb878a068801d 100644
|
||||
--- a/net/batman-adv/fragmentation.c
|
||||
+++ b/net/batman-adv/fragmentation.c
|
||||
@@ -274,7 +274,7 @@ batadv_frag_merge_packets(struct hlist_head *chain)
|
||||
kfree(entry);
|
||||
|
||||
packet = (struct batadv_frag_packet *)skb_out->data;
|
||||
- size = ntohs(packet->total_size);
|
||||
+ size = ntohs(packet->total_size) + hdr_size;
|
||||
|
||||
/* Make room for the rest of the fragments. */
|
||||
if (pskb_expand_head(skb_out, 0, size - skb_out->len, GFP_ATOMIC) < 0) {
|
Loading…
Reference in New Issue