On Friday 06 May 2016 22:27:09 Sven Eckelmann wrote:
> The router is put down twice when it was non-NULL and either orig_ifinfo is
> NULL afterwards or batman-adv receives a packet with the same sequence
> number. This will end up in a use-after-free when the batadv_neigh_node is
> removed because the reference counter ended up too early at 0.
>
> Fixes: 667996ebeab4 ("batman-adv: OGMv2 - implement originators logic")
> Signed-off-by: Sven Eckelmann <[email protected]>
[...]
There is a conflict with master. I hope that Antonio can share how it can be
resolved when he submits following remaining fixes to David:
* batman-adv: Fix integer overflow in batadv_iv_ogm_calc_tq
* batman-adv: Avoid duplicate neigh_node additions
* batman-adv: make sure ELP/OGM orig MAC is updated on address change
* batman-adv: Fix unexpected free of bcast_own on add_if error
* batman-adv: Avoid nullptr derefence in batadv_v_neigh_is_sob
* batman-adv: Fix refcnt leak in batadv_v_neigh_*
* batman-adv: Fix double neigh_node_put in batadv_v_ogm_route_update
The solution for the merge conflict with master is:
--- a/net/batman-adv/bat_v_ogm.c
+++ b/net/batman-adv/bat_v_ogm.c
@@ -510,17 +510,10 @@
goto out;
}
-<<<<<<<
/* Mark the OGM to be considered for forwarding, and update routes
* if needed.
*/
forward = true;
-=======
- if (router) {
- batadv_neigh_node_put(router);
- router = NULL;
- }
->>>>>>>
batadv_dbg(BATADV_DBG_BATMAN, bat_priv,
"Searching and updating originator entry of received
packet\n");
signature.asc
Description: This is a digitally signed message part.
