Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2077941imu; Wed, 28 Nov 2018 21:59:08 -0800 (PST) X-Google-Smtp-Source: AFSGD/W99bAx9r6xrXOOLgtHb2WsjdUf9OZQUTYcH85nLtbEZl1HEX6JBGJOYIVaEGT17MhEkHo9 X-Received: by 2002:a62:4e49:: with SMTP id c70mr159620pfb.167.1543471148856; Wed, 28 Nov 2018 21:59:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543471148; cv=none; d=google.com; s=arc-20160816; b=HhDyO3bUrEMwgGirP5Ve30UlYSdXGQUZieIqVqPBWkC79DjCX/SMl/frciyDAjPxQ+ ErMtOlTcQq+u7SNivWR20Xv+nNzIpn3VBfm1oNhMxtGSCDC0e61Vne/d8pithxmdxVz/ 2iXsV59AR0KeerLKPz6zS54RIcTNNr6CpXm/6d6BMW+vFpfIuTp08rCtssp6V9Sc2WSm d6Z1OsJRc2FW8B0FImawZax8usbfAgaQy/iiN45nilZPJEzx9f3Z5gf+M8DLCBSlgH9f bNeQOqULbkuBlEh5HL0o2WDWEZk86qf4JT/XTN/+rJeSlxQatIqfwJGSvLY6GW7bqu1J Ld0A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=fAVZgixpb1WpeQ16zAN1P4DOc7+wtlngSRNTiwMqRrc=; b=rf3oipoP9Zp+Y9Pwkibv0lilLjn1CefPwOGRCWpW7M/bF3ihHhje2e33xxRp0wg2hQ t1iHNuWvgzf6rPGqt/MYCGefEa6LV7u4HR/cDmvr2iBzeC3DeKRBF1bOvxRdhf9R5Lbi hsP6P2aDxkTg/OFWP9okr5FGMMRpLIJMLS3AXtQSnxm0vYEK7SxC7qVepMRrn0GAIdoe vTNJBZ6+yd1w4PvrvJb+0kvZsjcApxCH64xVvBk/w5P5zRrteLU1LJCVFe9BiVmGW3Yj drEUFXymnK1HdyeO6PBkD4QKieLBONACM9JMUi26OUPFF/J8CK8WYmyJxCFVwqRWpKYA K1rQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ZOLqfQfU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k11si1010618pgg.430.2018.11.28.21.58.53; Wed, 28 Nov 2018 21:59:08 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=ZOLqfQfU; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728263AbeK2RBn (ORCPT + 99 others); Thu, 29 Nov 2018 12:01:43 -0500 Received: from mail.kernel.org ([198.145.29.99]:34942 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727416AbeK2RBn (ORCPT ); Thu, 29 Nov 2018 12:01:43 -0500 Received: from sasha-vm.mshome.net (unknown [37.142.5.207]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7E87C20868; Thu, 29 Nov 2018 05:57:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1543471052; bh=UGRHvqXrojXrxtKVC0YS+Dfl6zSWNOfRqQNz8NWxNdk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ZOLqfQfUBL3sK+4xOb+upWykz2lPSd86CB591u0tJ5nJ1eZz+1YwLYp2c/ppPD5f0 rmrdbPSofr6KwoiJWXiqx42D97hHFR6DRRTW/qhB8QkePOPb37M5tTNfLtOggbhZ8S 6Yhgmc7PlfF1X2V5YmsYqjThzvoI51QhUUP3kcmY= From: Sasha Levin To: stable@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Sven Eckelmann , Simon Wunderlich , Sasha Levin , netdev@vger.kernel.org Subject: [PATCH AUTOSEL 4.19 15/68] batman-adv: Expand merged fragment buffer for full packet Date: Thu, 29 Nov 2018 00:55:06 -0500 Message-Id: <20181129055559.159228-15-sashal@kernel.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181129055559.159228-1-sashal@kernel.org> References: <20181129055559.159228-1-sashal@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Sven Eckelmann [ Upstream commit d7d8bbb40a5b1f682ee6589e212934f4c6b8ad60 ] The complete size ("total_size") of the fragmented packet is stored in the fragment header and in the size of the fragment chain. When the fragments are ready for merge, the skbuff's tail of the first fragment is expanded to have enough room after the data pointer for at least total_size. This means that it gets expanded by total_size - first_skb->len. But this is ignoring the fact that after expanding the buffer, the fragment header is pulled by from this buffer. Assuming that the tailroom of the buffer was already 0, the buffer after the data pointer of the skbuff is now only total_size - len(fragment_header) large. When the merge function is then processing the remaining fragments, the code to copy the data over to the merged skbuff will cause an skb_over_panic when it tries to actually put enough data to fill the total_size bytes of the packet. The size of the skb_pull must therefore also be taken into account when the buffer's tailroom is expanded. Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge") Reported-by: Martin Weinelt Co-authored-by: Linus Lüssing Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich Signed-off-by: Sasha Levin --- net/batman-adv/fragmentation.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c index 0fddc17106bd..5b71a289d04f 100644 --- a/net/batman-adv/fragmentation.c +++ b/net/batman-adv/fragmentation.c @@ -275,7 +275,7 @@ batadv_frag_merge_packets(struct hlist_head *chain) kfree(entry); packet = (struct batadv_frag_packet *)skb_out->data; - size = ntohs(packet->total_size); + size = ntohs(packet->total_size) + hdr_size; /* Make room for the rest of the fragments. */ if (pskb_expand_head(skb_out, 0, size - skb_out->len, GFP_ATOMIC) < 0) { -- 2.17.1