Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp838315imu; Tue, 11 Dec 2018 08:19:31 -0800 (PST) X-Google-Smtp-Source: AFSGD/Vz/9mombYdjCNXV1+eXZUO2ry7SzQVCfox4WYRvOFi3CHvPMzyNEHHhAPNg1WJWJl9fCPR X-Received: by 2002:a17:902:6a4:: with SMTP id 33mr16156735plh.99.1544545170988; Tue, 11 Dec 2018 08:19:30 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544545170; cv=none; d=google.com; s=arc-20160816; b=z+PGnlgDDiqTaCGvEuD47uj11XoxNlTlO3RZWNRgpQJ8iJ2Iij2A7w1t0SseI/Hnw4 hZ9BaVFR14joM2NHvFLjM+IZi2e1Z/7JoU2W4hQSTCeLV3dNCdMm+fFfgtWedW/h/N61 QRUiOYZNxYQdX3LuiZV6RC4yiFW4e69Zm1mb2l47VeXC8MnU0UQGHix9oEpFyuPVKxoO v/xvb0V+YnvhYwxnhPufGKjx52XYQUi/fQ50PwwyHEjEwibK91Pj+tfBJgGV+F8nwwqb PiudIhjhLCRpMSc7io3dFTLbKCnoxAufhogCmm1yprvPEFs7NsZyUR2Ow/FIpwGYL3hX jf/g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=o7gyqq/16Te+j63nx/OTqZ5Q+MdodRB8MND6GPsL5Gc=; b=yt6xYkc7ZvheRhlROrLerWlSSNK6ht2nKEYcUtmGPuF6g44qe/PnRS0OI3GL7CEuoh iESMwSOuYUTAlxKYJjchVaekgRNjgyzRh+W31GpYrWQVGPEN8vde4K/+HBzoCLEHGOIV XkliQIhctzYtvkU3q6R3vcJiZhDo1ed5w3pQ6Jrk5AumILOr4EX6mbljPUKz8le3cbJm I5xWMDAwbqlRKNdHFRGiUEUAQ3SxCXNm1KOvlj/+/FWW5GbH1iVXx+wrRTWIEI11MOI7 PcxYC6FXwHrejUy9O5aWXOkhjC6SDpdrDA95dr9Zpqz2LqIkSxPjGQ59KYxlfnQ/A+9B u03A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=v6F1KUz8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 10si12540955pgl.30.2018.12.11.08.19.15; Tue, 11 Dec 2018 08:19:30 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=v6F1KUz8; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728832AbeLKQRk (ORCPT + 99 others); Tue, 11 Dec 2018 11:17:40 -0500 Received: from mail.kernel.org ([198.145.29.99]:35450 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728452AbeLKPrD (ORCPT ); Tue, 11 Dec 2018 10:47:03 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A9D9121104; Tue, 11 Dec 2018 15:47:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1544543222; bh=6LtsVLtWMEeIyOG/cJ/YmeGf4eXJNMiNKfRxpDX2Sqw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=v6F1KUz8DF3Jw2Kdn0DW/XdKZPGjFr7/2P5bSH7sijSOXbYH1i5NvUOoo81mqc6be OoqrvlGCnYh7lW22FhZ4H0rgLIF+RtUYYyJoInJmJMI1PF2Tswk9EPenb6sxRgzPHY cqOckI7wtLJGcqnj9mwI1xPbv5lvy/ctTgvIFBfA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Martin Weinelt , Sven Eckelmann , Simon Wunderlich , Sasha Levin , =?UTF-8?q?Linus=20L=C3=BCssing?= Subject: [PATCH 4.4 60/91] batman-adv: Expand merged fragment buffer for full packet Date: Tue, 11 Dec 2018 16:41:19 +0100 Message-Id: <20181211151610.948845988@linuxfoundation.org> X-Mailer: git-send-email 2.20.0 In-Reply-To: <20181211151606.026852373@linuxfoundation.org> References: <20181211151606.026852373@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ [ Upstream commit d7d8bbb40a5b1f682ee6589e212934f4c6b8ad60 ] The complete size ("total_size") of the fragmented packet is stored in the fragment header and in the size of the fragment chain. When the fragments are ready for merge, the skbuff's tail of the first fragment is expanded to have enough room after the data pointer for at least total_size. This means that it gets expanded by total_size - first_skb->len. But this is ignoring the fact that after expanding the buffer, the fragment header is pulled by from this buffer. Assuming that the tailroom of the buffer was already 0, the buffer after the data pointer of the skbuff is now only total_size - len(fragment_header) large. When the merge function is then processing the remaining fragments, the code to copy the data over to the merged skbuff will cause an skb_over_panic when it tries to actually put enough data to fill the total_size bytes of the packet. The size of the skb_pull must therefore also be taken into account when the buffer's tailroom is expanded. Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge") Reported-by: Martin Weinelt Co-authored-by: Linus Lüssing Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich Signed-off-by: Sasha Levin --- net/batman-adv/fragmentation.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c index 5d2f9d4879b2..d50c3b003dc9 100644 --- a/net/batman-adv/fragmentation.c +++ b/net/batman-adv/fragmentation.c @@ -266,7 +266,7 @@ batadv_frag_merge_packets(struct hlist_head *chain) kfree(entry); packet = (struct batadv_frag_packet *)skb_out->data; - size = ntohs(packet->total_size); + size = ntohs(packet->total_size) + hdr_size; /* Make room for the rest of the fragments. */ if (pskb_expand_head(skb_out, 0, size - skb_out->len, GFP_ATOMIC) < 0) { -- 2.19.1