From 0d15becee56fdfc2e9a4374c46ea7cf7562a6f32 Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Wed, 23 Jan 2013 18:11:53 +0100 Subject: batman-adv: fix skb leak in batadv_dat_snoop_incoming_arp_reply() The callers of batadv_dat_snoop_incoming_arp_reply() assume the skb has been freed when it returns true; fix this by calling kfree_skb before returning as it is done in batadv_dat_snoop_incoming_arp_request(). Signed-off-by: Matthias Schiffer Signed-off-by: Marek Lindner Acked-by: Antonio Quartulli Signed-off-by: Antonio Quartulli --- net/batman-adv/distributed-arp-table.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'net/batman-adv') diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c index 8e1d89d2b1c1..ce0d2992381a 100644 --- a/net/batman-adv/distributed-arp-table.c +++ b/net/batman-adv/distributed-arp-table.c @@ -1012,6 +1012,8 @@ bool batadv_dat_snoop_incoming_arp_reply(struct batadv_priv *bat_priv, */ ret = !batadv_is_my_client(bat_priv, hw_dst); out: + if (ret) + kfree_skb(skb); /* if ret == false -> packet has to be delivered to the interface */ return ret; } -- cgit v1.2.3 From 757dd82ea7008ddaccfecff3397bec3e3203a89e Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Thu, 24 Jan 2013 18:18:26 +0100 Subject: batman-adv: check for more types of invalid IP addresses in DAT There are more types of IP addresses that may appear in ARP packets that we don't want to process. While some of these should never appear in sane ARP packets, a 0.0.0.0 source is used for duplicate address detection and thus seen quite often. Signed-off-by: Matthias Schiffer Acked-by: Antonio Quartulli Signed-off-by: Marek Lindner Signed-off-by: Antonio Quartulli --- net/batman-adv/distributed-arp-table.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'net/batman-adv') diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c index ce0d2992381a..ccb3c6c96ba7 100644 --- a/net/batman-adv/distributed-arp-table.c +++ b/net/batman-adv/distributed-arp-table.c @@ -777,7 +777,9 @@ static uint16_t batadv_arp_get_type(struct batadv_priv *bat_priv, ip_src = batadv_arp_ip_src(skb, hdr_size); ip_dst = batadv_arp_ip_dst(skb, hdr_size); if (ipv4_is_loopback(ip_src) || ipv4_is_multicast(ip_src) || - ipv4_is_loopback(ip_dst) || ipv4_is_multicast(ip_dst)) + ipv4_is_loopback(ip_dst) || ipv4_is_multicast(ip_dst) || + ipv4_is_zeronet(ip_src) || ipv4_is_lbcast(ip_src) || + ipv4_is_zeronet(ip_dst) || ipv4_is_lbcast(ip_dst)) goto out; type = ntohs(arphdr->ar_op); -- cgit v1.2.3 From b618ad1103c9ea0c4a69b44f42fc3c7b4e231e22 Mon Sep 17 00:00:00 2001 From: Matthias Schiffer Date: Thu, 24 Jan 2013 18:18:27 +0100 Subject: batman-adv: filter ARP packets with invalid MAC addresses in DAT We never want multicast MAC addresses in the Distributed ARP Table, so it's best to completely ignore ARP packets containing them where we expect unicast addresses. Signed-off-by: Matthias Schiffer Acked-by: Antonio Quartulli Signed-off-by: Marek Lindner Signed-off-by: Antonio Quartulli --- net/batman-adv/distributed-arp-table.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'net/batman-adv') diff --git a/net/batman-adv/distributed-arp-table.c b/net/batman-adv/distributed-arp-table.c index ccb3c6c96ba7..183f97a86bb2 100644 --- a/net/batman-adv/distributed-arp-table.c +++ b/net/batman-adv/distributed-arp-table.c @@ -738,6 +738,7 @@ static uint16_t batadv_arp_get_type(struct batadv_priv *bat_priv, struct arphdr *arphdr; struct ethhdr *ethhdr; __be32 ip_src, ip_dst; + uint8_t *hw_src, *hw_dst; uint16_t type = 0; /* pull the ethernet header */ @@ -782,6 +783,18 @@ static uint16_t batadv_arp_get_type(struct batadv_priv *bat_priv, ipv4_is_zeronet(ip_dst) || ipv4_is_lbcast(ip_dst)) goto out; + hw_src = batadv_arp_hw_src(skb, hdr_size); + if (is_zero_ether_addr(hw_src) || is_multicast_ether_addr(hw_src)) + goto out; + + /* we don't care about the destination MAC address in ARP requests */ + if (arphdr->ar_op != htons(ARPOP_REQUEST)) { + hw_dst = batadv_arp_hw_dst(skb, hdr_size); + if (is_zero_ether_addr(hw_dst) || + is_multicast_ether_addr(hw_dst)) + goto out; + } + type = ntohs(arphdr->ar_op); out: return type; -- cgit v1.2.3