--- /dev/null
+From foo@baz Wed 18 Mar 2020 05:59:41 PM CET
+From: Sven Eckelmann <sven@narfation.org>
+Date: Tue, 17 Mar 2020 21:15:39 +0100
+Subject: batman-adv: Avoid probe ELP information leak
+To: stable@vger.kernel.org
+Cc: Sven Eckelmann <sven@narfation.org>, Antonio Quartulli <a@unstable.cc>, Simon Wunderlich <sw@simonwunderlich.de>
+Message-ID: <20200317201540.23496-3-sven@narfation.org>
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit 88d0895d0ea9d4431507d576c963f2ff9918144d upstream.
+
+The probe ELPs for WiFi interfaces are expanded to contain at least
+BATADV_ELP_MIN_PROBE_SIZE bytes. This is usually a lot more than the
+number of bytes which the template ELP packet requires.
+
+These extra padding bytes were not initialized and thus could contain data
+which were previously stored at the same location. It is therefore required
+to set it to some predefined or random values to avoid leaking private
+information from the system transmitting these kind of packets.
+
+Fixes: e4623c913508 ("batman-adv: Avoid probe ELP information leak")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Acked-by: Antonio Quartulli <a@unstable.cc>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bat_v_elp.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/batman-adv/bat_v_elp.c
++++ b/net/batman-adv/bat_v_elp.c
+@@ -191,6 +191,7 @@ batadv_v_elp_wifi_neigh_probe(struct bat
+ struct sk_buff *skb;
+ int probe_len, i;
+ int elp_skb_len;
++ void *tmp;
+
+ /* this probing routine is for Wifi neighbours only */
+ if (!batadv_is_wifi_netdev(hard_iface->net_dev))
+@@ -222,7 +223,8 @@ batadv_v_elp_wifi_neigh_probe(struct bat
+ * the packet to be exactly of that size to make the link
+ * throughput estimation effective.
+ */
+- skb_put(skb, probe_len - hard_iface->bat_v.elp_skb->len);
++ tmp = skb_put(skb, probe_len - hard_iface->bat_v.elp_skb->len);
++ memset(tmp, 0, probe_len - hard_iface->bat_v.elp_skb->len);
+
+ batadv_dbg(BATADV_DBG_BATMAN, bat_priv,
+ "Sending unicast (probe) ELP packet on interface %s to %pM\n",
--- /dev/null
+From foo@baz Wed 18 Mar 2020 05:59:41 PM CET
+From: Sven Eckelmann <sven@narfation.org>
+Date: Tue, 17 Mar 2020 21:15:38 +0100
+Subject: batman-adv: update data pointers after skb_cow()
+To: stable@vger.kernel.org
+Cc: Matthias Schiffer <mschiffer@universe-factory.net>, Sven Eckelmann <sven@narfation.org>
+Message-ID: <20200317201540.23496-2-sven@narfation.org>
+
+From: Matthias Schiffer <mschiffer@universe-factory.net>
+
+commit bc44b78157f621ff2a2618fe287a827bcb094ac4 upstream.
+
+batadv_check_unicast_ttvn() calls skb_cow(), so pointers into the SKB data
+must be (re)set after calling it. The ethhdr variable is dropped
+altogether.
+
+Fixes: 78fc6bbe0aca ("batman-adv: add UNICAST_4ADDR packet type")
+Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/routing.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/batman-adv/routing.c
++++ b/net/batman-adv/routing.c
+@@ -930,7 +930,6 @@ int batadv_recv_unicast_packet(struct sk
+ bool is4addr;
+
+ unicast_packet = (struct batadv_unicast_packet *)skb->data;
+- unicast_4addr_packet = (struct batadv_unicast_4addr_packet *)skb->data;
+
+ is4addr = unicast_packet->packet_type == BATADV_UNICAST_4ADDR;
+ /* the caller function should have already pulled 2 bytes */
+@@ -951,9 +950,13 @@ int batadv_recv_unicast_packet(struct sk
+ if (!batadv_check_unicast_ttvn(bat_priv, skb, hdr_size))
+ return NET_RX_DROP;
+
++ unicast_packet = (struct batadv_unicast_packet *)skb->data;
++
+ /* packet for me */
+ if (batadv_is_my_mac(bat_priv, unicast_packet->dest)) {
+ if (is4addr) {
++ unicast_4addr_packet =
++ (struct batadv_unicast_4addr_packet *)skb->data;
+ subtype = unicast_4addr_packet->subtype;
+ batadv_dat_inc_counter(bat_priv, subtype);
+
--- /dev/null
+From foo@baz Wed 18 Mar 2020 05:59:41 PM CET
+From: Sven Eckelmann <sven@narfation.org>
+Date: Tue, 17 Mar 2020 21:15:40 +0100
+Subject: batman-adv: Use explicit tvlv padding for ELP packets
+To: stable@vger.kernel.org
+Cc: "Sven Eckelmann" <sven@narfation.org>, "Linus Lüssing" <linus.luessing@c0d3.blue>, "Simon Wunderlich" <sw@simonwunderlich.de>
+Message-ID: <20200317201540.23496-4-sven@narfation.org>
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit f4156f9656feac21f4de712fac94fae964c5d402 upstream.
+
+The announcement messages of batman-adv COMPAT_VERSION 15 have the
+possibility to announce additional information via a dynamic TVLV part.
+This part is optional for the ELP packets and currently not parsed by the
+Linux implementation. Still out-of-tree versions are using it to transport
+things like neighbor hashes to optimize the rebroadcast behavior.
+
+Since the ELP broadcast packets are smaller than the minimal ethernet
+packet, it often has to be padded. This is often done (as specified in
+RFC894) with octets of zero and thus work perfectly fine with the TVLV
+part (making it a zero length and thus empty). But not all ethernet
+compatible hardware seems to follow this advice. To avoid ambiguous
+situations when parsing the TVLV header, just force the 4 bytes (TVLV
+length + padding) after the required ELP header to zero.
+
+Fixes: d6f94d91f766 ("batman-adv: ELP - adding basic infrastructure")
+Reported-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/bat_v_elp.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/batman-adv/bat_v_elp.c
++++ b/net/batman-adv/bat_v_elp.c
+@@ -335,21 +335,23 @@ out:
+ */
+ int batadv_v_elp_iface_enable(struct batadv_hard_iface *hard_iface)
+ {
++ static const size_t tvlv_padding = sizeof(__be32);
+ struct batadv_elp_packet *elp_packet;
+ unsigned char *elp_buff;
+ u32 random_seqno;
+ size_t size;
+ int res = -ENOMEM;
+
+- size = ETH_HLEN + NET_IP_ALIGN + BATADV_ELP_HLEN;
++ size = ETH_HLEN + NET_IP_ALIGN + BATADV_ELP_HLEN + tvlv_padding;
+ hard_iface->bat_v.elp_skb = dev_alloc_skb(size);
+ if (!hard_iface->bat_v.elp_skb)
+ goto out;
+
+ skb_reserve(hard_iface->bat_v.elp_skb, ETH_HLEN + NET_IP_ALIGN);
+- elp_buff = skb_put(hard_iface->bat_v.elp_skb, BATADV_ELP_HLEN);
++ elp_buff = skb_put(hard_iface->bat_v.elp_skb,
++ BATADV_ELP_HLEN + tvlv_padding);
+ elp_packet = (struct batadv_elp_packet *)elp_buff;
+- memset(elp_packet, 0, BATADV_ELP_HLEN);
++ memset(elp_packet, 0, BATADV_ELP_HLEN + tvlv_padding);
+
+ elp_packet->packet_type = BATADV_ELP;
+ elp_packet->version = BATADV_COMPAT_VERSION;
batman-adv-avoid-free-alloc-race-when-handling-ogm2-buffer.patch
batman-adv-avoid-free-alloc-race-when-handling-ogm-buffer.patch
batman-adv-don-t-schedule-ogm-for-disabled-interface.patch
+batman-adv-update-data-pointers-after-skb_cow.patch
+batman-adv-avoid-probe-elp-information-leak.patch
+batman-adv-use-explicit-tvlv-padding-for-elp-packets.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
