On Friday 06 May 2016 22:27:09 Sven Eckelmann wrote:
> The router is put down twice when it was non-NULL and either orig_ifinfo is
> NULL afterwards or batman-adv receives a packet with the same sequence
> number. This will end up in a use-after-free when the batadv_neigh_node is
> removed because the reference counter ended up too early at 0.
> 
> Fixes: 667996ebeab4 ("batman-adv: OGMv2 - implement originators logic")
> Signed-off-by: Sven Eckelmann <[email protected]>
[...]

There is a conflict with master. I hope that Antonio can share how it can be
resolved when he submits following remaining fixes to David:

 * batman-adv: Fix integer overflow in batadv_iv_ogm_calc_tq
 * batman-adv: Avoid duplicate neigh_node additions
 * batman-adv: make sure ELP/OGM orig MAC is updated on address change
 * batman-adv: Fix unexpected free of bcast_own on add_if error
 * batman-adv: Avoid nullptr derefence in batadv_v_neigh_is_sob
 * batman-adv: Fix refcnt leak in batadv_v_neigh_*
 * batman-adv: Fix double neigh_node_put in batadv_v_ogm_route_update

The solution for the merge conflict with master is:

--- a/net/batman-adv/bat_v_ogm.c
+++ b/net/batman-adv/bat_v_ogm.c
@@ -510,17 +510,10 @@
                goto out;
        }
 
-<<<<<<<
        /* Mark the OGM to be considered for forwarding, and update routes
         * if needed.
         */
        forward = true;
-=======
-       if (router) {
-               batadv_neigh_node_put(router);
-               router = NULL;
-       }
->>>>>>>
 
        batadv_dbg(BATADV_DBG_BATMAN, bat_priv,
                   "Searching and updating originator entry of received 
packet\n");

Attachment: signature.asc
Description: This is a digitally signed message part.

Reply via email to