Commit 202cfe10 authored by Sven Eckelmann's avatar Sven Eckelmann Committed by Greg Kroah-Hartman

Staging: batman-adv: Update pointer to ethhdr after skb_copy

We must ensure that all pointer to a socket buffer are updated when we
copy a socket buffer and free our reference to the old one.
Another part of the kernel could also free its reference which maybe
removes the buffer completely. In that situation we would would feed
wrong information to the routing algorithm after the memory area is
written again by someone else.
Signed-off-by: default avatarSven Eckelmann <sven.eckelmann@gmx.de>
Signed-off-by: default avatarMarek Lindner <lindner_marek@yahoo.de>
Signed-off-by: default avatarAndrew Lunn <andrew@lunn.ch>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent 7d02d777
...@@ -614,6 +614,7 @@ int recv_bat_packet(struct sk_buff *skb, ...@@ -614,6 +614,7 @@ int recv_bat_packet(struct sk_buff *skb,
skb = skb_copy(skb, GFP_ATOMIC); skb = skb_copy(skb, GFP_ATOMIC);
if (!skb) if (!skb)
return NET_RX_DROP; return NET_RX_DROP;
ethhdr = (struct ethhdr *)skb_mac_header(skb);
kfree_skb(skb_old); kfree_skb(skb_old);
} }
...@@ -639,8 +640,8 @@ static int recv_my_icmp_packet(struct sk_buff *skb) ...@@ -639,8 +640,8 @@ static int recv_my_icmp_packet(struct sk_buff *skb)
unsigned long flags; unsigned long flags;
uint8_t dstaddr[ETH_ALEN]; uint8_t dstaddr[ETH_ALEN];
icmp_packet = (struct icmp_packet *) skb->data; icmp_packet = (struct icmp_packet *)skb->data;
ethhdr = (struct ethhdr *) skb_mac_header(skb); ethhdr = (struct ethhdr *)skb_mac_header(skb);
/* add data to device queue */ /* add data to device queue */
if (icmp_packet->msg_type != ECHO_REQUEST) { if (icmp_packet->msg_type != ECHO_REQUEST) {
...@@ -671,7 +672,9 @@ static int recv_my_icmp_packet(struct sk_buff *skb) ...@@ -671,7 +672,9 @@ static int recv_my_icmp_packet(struct sk_buff *skb)
skb = skb_copy(skb, GFP_ATOMIC); skb = skb_copy(skb, GFP_ATOMIC);
if (!skb) if (!skb)
return NET_RX_DROP; return NET_RX_DROP;
icmp_packet = (struct icmp_packet *) skb->data;
icmp_packet = (struct icmp_packet *)skb->data;
ethhdr = (struct ethhdr *)skb_mac_header(skb);
kfree_skb(skb_old); kfree_skb(skb_old);
} }
...@@ -732,6 +735,7 @@ static int recv_icmp_ttl_exceeded(struct sk_buff *skb) ...@@ -732,6 +735,7 @@ static int recv_icmp_ttl_exceeded(struct sk_buff *skb)
if (!skb) if (!skb)
return NET_RX_DROP; return NET_RX_DROP;
icmp_packet = (struct icmp_packet *) skb->data; icmp_packet = (struct icmp_packet *) skb->data;
ethhdr = (struct ethhdr *)skb_mac_header(skb);
kfree_skb(skb_old); kfree_skb(skb_old);
} }
...@@ -780,7 +784,7 @@ int recv_icmp_packet(struct sk_buff *skb) ...@@ -780,7 +784,7 @@ int recv_icmp_packet(struct sk_buff *skb)
if (!is_my_mac(ethhdr->h_dest)) if (!is_my_mac(ethhdr->h_dest))
return NET_RX_DROP; return NET_RX_DROP;
icmp_packet = (struct icmp_packet *) skb->data; icmp_packet = (struct icmp_packet *)skb->data;
/* packet for me */ /* packet for me */
if (is_my_mac(icmp_packet->dst)) if (is_my_mac(icmp_packet->dst))
...@@ -812,7 +816,8 @@ int recv_icmp_packet(struct sk_buff *skb) ...@@ -812,7 +816,8 @@ int recv_icmp_packet(struct sk_buff *skb)
skb = skb_copy(skb, GFP_ATOMIC); skb = skb_copy(skb, GFP_ATOMIC);
if (!skb) if (!skb)
return NET_RX_DROP; return NET_RX_DROP;
icmp_packet = (struct icmp_packet *) skb->data; icmp_packet = (struct icmp_packet *)skb->data;
ethhdr = (struct ethhdr *)skb_mac_header(skb);
kfree_skb(skb_old); kfree_skb(skb_old);
} }
...@@ -895,7 +900,8 @@ int recv_unicast_packet(struct sk_buff *skb) ...@@ -895,7 +900,8 @@ int recv_unicast_packet(struct sk_buff *skb)
skb = skb_copy(skb, GFP_ATOMIC); skb = skb_copy(skb, GFP_ATOMIC);
if (!skb) if (!skb)
return NET_RX_DROP; return NET_RX_DROP;
unicast_packet = (struct unicast_packet *) skb->data; unicast_packet = (struct unicast_packet *)skb->data;
ethhdr = (struct ethhdr *)skb_mac_header(skb);
kfree_skb(skb_old); kfree_skb(skb_old);
} }
/* decrement ttl */ /* decrement ttl */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment