diff options
| author | Sven Eckelmann <sven@narfation.org> | 2019-08-22 08:55:36 +0200 | 
|---|---|---|
| committer | Simon Wunderlich <sw@simonwunderlich.de> | 2019-08-23 18:20:17 +0200 | 
| commit | a15d56a60760aa9dbe26343b9a0ac5228f35d445 (patch) | |
| tree | 1db1303a1b1511df243c7f0dd4a0f8a4e3ec245a /net/lapb/lapb_iface.c | |
| parent | 3ee1bb7aae97324ec9078da1f00cb2176919563f (diff) | |
batman-adv: Only read OGM tvlv_len after buffer len check
Multiple batadv_ogm_packet can be stored in an skbuff. The functions
batadv_iv_ogm_send_to_if()/batadv_iv_ogm_receive() use
batadv_iv_ogm_aggr_packet() to check if there is another additional
batadv_ogm_packet in the skb or not before they continue processing the
packet.
The length for such an OGM is BATADV_OGM_HLEN +
batadv_ogm_packet->tvlv_len. The check must first check that at least
BATADV_OGM_HLEN bytes are available before it accesses tvlv_len (which is
part of the header. Otherwise it might try read outside of the currently
available skbuff to get the content of tvlv_len.
Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure")
Reported-by: syzbot+355cab184197dbbfa384@syzkaller.appspotmail.com
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Acked-by: Antonio Quartulli <a@unstable.cc>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Diffstat (limited to 'net/lapb/lapb_iface.c')
0 files changed, 0 insertions, 0 deletions
