[PATCH 4.4 117/143] batman-adv: Force mac header to start of data on xmit

From: Greg Kroah-Hartman
Date: Mon Feb 18 2019 - 09:21:48 EST


4.4-stable review patch. If anyone has any objections, please let me know.

------------------

From: Sven Eckelmann <sven@xxxxxxxxxxxxx>

commit 9114daa825fc3f335f9bea3313ce667090187280 upstream.

The caller of ndo_start_xmit may not already have called
skb_reset_mac_header. The returned value of skb_mac_header/eth_hdr
therefore can be in the wrong position and even outside the current skbuff.
This for example happens when the user binds to the device using a
PF_PACKET-SOCK_RAW with enabled qdisc-bypass:

int opt = 4;
setsockopt(sock, SOL_PACKET, PACKET_QDISC_BYPASS, &opt, sizeof(opt));

Since eth_hdr is used all over the codebase, the batadv_interface_tx
function must always take care of resetting it.

Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
Reported-by: syzbot+9d7405c7faa390e60b4e@xxxxxxxxxxxxxxxxxxxxxxxxx
Reported-by: syzbot+7d20bc3f1ddddc0f9079@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Sven Eckelmann <sven@xxxxxxxxxxxxx>
Signed-off-by: Simon Wunderlich <sw@xxxxxxxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
net/batman-adv/soft-interface.c | 2 ++
1 file changed, 2 insertions(+)

--- a/net/batman-adv/soft-interface.c
+++ b/net/batman-adv/soft-interface.c
@@ -209,6 +209,8 @@ static int batadv_interface_tx(struct sk

soft_iface->trans_start = jiffies;
vid = batadv_get_vid(skb, 0);
+
+ skb_reset_mac_header(skb);
ethhdr = eth_hdr(skb);

switch (ntohs(ethhdr->h_proto)) {