Commit 3b27668d authored by Sven Eckelmann's avatar Sven Eckelmann Committed by Stefan Bader

batman-adv: Force mac header to start of data on xmit

BugLink: https://bugs.launchpad.net/bugs/1818813

commit 9114daa8 upstream.

The caller of ndo_start_xmit may not already have called
skb_reset_mac_header. The returned value of skb_mac_header/eth_hdr
therefore can be in the wrong position and even outside the current skbuff.
This for example happens when the user binds to the device using a
PF_PACKET-SOCK_RAW with enabled qdisc-bypass:

  int opt = 4;
  setsockopt(sock, SOL_PACKET, PACKET_QDISC_BYPASS, &opt, sizeof(opt));

Since eth_hdr is used all over the codebase, the batadv_interface_tx
function must always take care of resetting it.

Fixes: c6c8fea2 ("net: Add batman-adv meshing protocol")
Reported-by: syzbot+9d7405c7faa390e60b4e@syzkaller.appspotmail.com
Reported-by: syzbot+7d20bc3f1ddddc0f9079@syzkaller.appspotmail.com
Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarJuerg Haefliger <juergh@canonical.com>
Signed-off-by: default avatarKhalid Elmously <khalid.elmously@canonical.com>
parent 266145cf
...@@ -209,6 +209,8 @@ static int batadv_interface_tx(struct sk_buff *skb, ...@@ -209,6 +209,8 @@ static int batadv_interface_tx(struct sk_buff *skb,
soft_iface->trans_start = jiffies; soft_iface->trans_start = jiffies;
vid = batadv_get_vid(skb, 0); vid = batadv_get_vid(skb, 0);
skb_reset_mac_header(skb);
ethhdr = eth_hdr(skb); ethhdr = eth_hdr(skb);
switch (ntohs(ethhdr->h_proto)) { switch (ntohs(ethhdr->h_proto)) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment