aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAntonio Quartulli <ordex@autistici.org>2012-02-27 11:29:53 +0100
committerAntonio Quartulli <ordex@autistici.org>2012-05-11 10:08:08 +0200
commit9205cc521ec74bd510857a464d4ac4edee949bfd (patch)
treeddc2e18bc62e0b8123df5c2ae956741e33222180
parent06a4c1c55dbe5d9f7a708e8f1a52fd2ac8e5874f (diff)
downloadkernel_goldelico_gta04-9205cc521ec74bd510857a464d4ac4edee949bfd.zip
kernel_goldelico_gta04-9205cc521ec74bd510857a464d4ac4edee949bfd.tar.gz
kernel_goldelico_gta04-9205cc521ec74bd510857a464d4ac4edee949bfd.tar.bz2
batman-adv: fix wrong dhcp option list browsing
In is_type_dhcprequest(), while parsing a DHCP message, if the entry we found in the option list is neither a padding nor the dhcp-type, we have to ignore it and jump as many bytes as its length + 1. The "+ 1" byte is given by the subtype field itself that has to be jumped too. Reported-by: Marek Lindner <lindner_marek@yahoo.de> Signed-off-by: Antonio Quartulli <ordex@autistici.org>
-rw-r--r--net/batman-adv/gateway_client.c6
1 files changed, 3 insertions, 3 deletions
diff --git a/net/batman-adv/gateway_client.c b/net/batman-adv/gateway_client.c
index 6f9b9b7..47f7186 100644
--- a/net/batman-adv/gateway_client.c
+++ b/net/batman-adv/gateway_client.c
@@ -558,10 +558,10 @@ static bool is_type_dhcprequest(struct sk_buff *skb, int header_len)
p++;
/* ...and then we jump over the data */
- if (pkt_len < *p)
+ if (pkt_len < 1 + (*p))
goto out;
- pkt_len -= *p;
- p += (*p);
+ pkt_len -= 1 + (*p);
+ p += 1 + (*p);
}
}
out: