41 lines
1.7 KiB
Diff
41 lines
1.7 KiB
Diff
From: Sven Eckelmann <sven@narfation.org>
|
|
Date: Wed, 22 Jul 2020 20:49:23 +0200
|
|
Subject: batman-adv: Avoid uninitialized chaddr when handling DHCP
|
|
|
|
The gateway client code can try to optimize the delivery of DHCP packets to
|
|
avoid broadcasting them through the whole mesh. But also transmissions to
|
|
the client can be optimized by looking up the destination via the chaddr of
|
|
the DHCP packet.
|
|
|
|
But the chaddr is currently only done when chaddr is fully inside the
|
|
non-paged area of the skbuff. Otherwise it will not be initialized and the
|
|
unoptimized path should have been taken.
|
|
|
|
But the implementation didn't handle this correctly. It didn't retrieve the
|
|
correct chaddr but still tried to perform the TT lookup with this
|
|
uninitialized memory.
|
|
|
|
Reported-by: syzbot+ab16e463b903f5a37036@syzkaller.appspotmail.com
|
|
Fixes: 2d5b555644b2 ("batman-adv: send every DHCP packet as bat-unicast")
|
|
Signed-off-by: Sven Eckelmann <sven@narfation.org>
|
|
Acked-by: Antonio Quartulli <a@unstable.cc>
|
|
Signed-off-by: Sven Eckelmann <sven@narfation.org>
|
|
|
|
Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/fcdf008ffd749246632d1f9423163af5dc3f8c7f
|
|
|
|
--- a/net/batman-adv/gateway_client.c
|
|
+++ b/net/batman-adv/gateway_client.c
|
|
@@ -703,8 +703,10 @@ batadv_gw_dhcp_recipient_get(struct sk_b
|
|
|
|
chaddr_offset = *header_len + BATADV_DHCP_CHADDR_OFFSET;
|
|
/* store the client address if the message is going to a client */
|
|
- if (ret == BATADV_DHCP_TO_CLIENT &&
|
|
- pskb_may_pull(skb, chaddr_offset + ETH_ALEN)) {
|
|
+ if (ret == BATADV_DHCP_TO_CLIENT) {
|
|
+ if (!pskb_may_pull(skb, chaddr_offset + ETH_ALEN))
|
|
+ return BATADV_DHCP_NO;
|
|
+
|
|
/* check if the DHCP packet carries an Ethernet DHCP */
|
|
p = skb->data + *header_len + BATADV_DHCP_HTYPE_OFFSET;
|
|
if (*p != BATADV_DHCP_HTYPE_ETHERNET)
|