From patchwork Sun Apr 29 08:57:41 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Antonio Quartulli X-Patchwork-Id: 155708 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id D6C1DB6FE3 for ; Sun, 29 Apr 2012 18:57:34 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754043Ab2D2I5d (ORCPT ); Sun, 29 Apr 2012 04:57:33 -0400 Received: from investici.nine.ch ([217.150.252.179]:57909 "EHLO confino.investici.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753458Ab2D2I4z (ORCPT ); Sun, 29 Apr 2012 04:56:55 -0400 Received: from [217.150.252.179] (confino [217.150.252.179]) (Authenticated sender: ordex@autistici.org) by localhost (Postfix) with ESMTPSA id 927DBC86BB; Sun, 29 Apr 2012 08:56:52 +0000 (UTC) X-DKIM: Sendmail DKIM Filter v2.8.2 confino.investici.org 927DBC86BB DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=autistici.org; s=stigmate; t=1335689813; bh=fwXYUyl9C/VGaiAX/8hPqIAf+sxqBwivMjRxl61q/pQ=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References; b=TPadvneMHGDb/8JuhWUSoEPuddvkY43ze+5DdX+XdTxHN/7y4Rrzm+RhYn6nrp25R CMYwH6DIUhA/sbKqTXYv+Ca29FLpzLyvbT0AT9BB15Dn+FlZuBzq2DrcOVPjt5W/KT OjSJkI5UsBq78d4yniDixnv2ICFkJrKII+QpJP98= From: Antonio Quartulli To: davem@davemloft.net Cc: netdev@vger.kernel.org, b.a.t.m.a.n@lists.open-mesh.org, Antonio Quartulli Subject: [PATCH 09/15] batman-adv: fix wrong dhcp option list browsing Date: Sun, 29 Apr 2012 10:57:41 +0200 Message-Id: <1335689867-8017-10-git-send-email-ordex@autistici.org> X-Mailer: git-send-email 1.7.9.4 In-Reply-To: <1335689867-8017-1-git-send-email-ordex@autistici.org> References: <1335689867-8017-1-git-send-email-ordex@autistici.org> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org In is_type_dhcprequest(), while parsing a DHCP message, if the entry we found in the option list is neither a padding nor the dhcp-type, we have to ignore it and jump as many bytes as its length + 1. The "+ 1" byte is given by the subtype field itself that has to be jumped too. Reported-by: Marek Lindner Signed-off-by: Antonio Quartulli --- net/batman-adv/gateway_client.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c index 6f9b9b7..47f7186 100644 --- a/net/batman-adv/gateway_client.c +++ b/net/batman-adv/gateway_client.c @@ -558,10 +558,10 @@ static bool is_type_dhcprequest(struct sk_buff *skb, int header_len) p++; /* ...and then we jump over the data */ - if (pkt_len < *p) + if (pkt_len < 1 + (*p)) goto out; - pkt_len -= *p; - p += (*p); + pkt_len -= 1 + (*p); + p += 1 + (*p); } } out: