const struct batadv_ogm_packet *ogm_packet)
{
int next_buff_pos = 0;
+ u16 tvlv_len;
/* check if there is enough space for the header */
next_buff_pos += buff_pos + sizeof(*ogm_packet);
if (next_buff_pos > packet_len)
return false;
+ tvlv_len = ntohs(ogm_packet->tvlv_len);
+
+ /* the fields of an aggregated OGM are accessed assuming (at least)
+ * 2-byte alignment, so a following OGM must start at an even offset.
+ */
+ if (tvlv_len & 1)
+ return false;
+
/* check if there is enough space for the optional TVLV */
- next_buff_pos += ntohs(ogm_packet->tvlv_len);
+ next_buff_pos += tvlv_len;
return next_buff_pos <= packet_len;
}
const struct batadv_ogm2_packet *ogm2_packet)
{
int next_buff_pos = 0;
+ u16 tvlv_len;
/* check if there is enough space for the header */
next_buff_pos += buff_pos + sizeof(*ogm2_packet);
if (next_buff_pos > packet_len)
return false;
+ tvlv_len = ntohs(ogm2_packet->tvlv_len);
+
+ /* the fields of an aggregated OGMv2 are accessed assuming (at least)
+ * 2-byte alignment, so a following OGMv2 must start at an even offset.
+ */
+ if (tvlv_len & 1)
+ return false;
+
/* check if there is enough space for the optional TVLV */
- next_buff_pos += ntohs(ogm2_packet->tvlv_len);
+ next_buff_pos += tvlv_len;
return next_buff_pos <= packet_len;
}
if (tvlv_buff_len > skb->len - hdr_size)
goto free_skb;
+ /* the fields of an multicast payload are accessed assuming (at least)
+ * 2-byte alignment, so a following packet must start at an even offset.
+ */
+ if (tvlv_buff_len & 1)
+ goto free_skb;
+
ret = batadv_tvlv_containers_process(bat_priv, BATADV_MCAST, NULL, skb,
tvlv_buff, tvlv_buff_len);
if (ret >= 0) {
if (tvlv_value_cont_len > tvlv_value_len)
break;
+ /* the next tvlv header is accessed assuming (at least) 2-byte
+ * alignment, so it must start at an even offset.
+ */
+ if (tvlv_value_cont_len & 1)
+ break;
+
tvlv_handler = batadv_tvlv_handler_get(bat_priv,
tvlv_hdr->type,
tvlv_hdr->version);
projects / thirdparty / linux.git / commitdiff
