Staging: batman-adv: ensure that eth_type_trans gets linear memory

commit b6faaae1a15a352d68b3e3cd8b840e56709820bf upstream.

eth_type_trans tries to pull data with the length of the ethernet header
from the skb. We only ensured that enough data for the first ethernet
header and the batman header is available in non-paged memory of the skb
and not for the ethernet after the batman header.

eth_type_trans would fail sometimes with drivers which don't ensure that
all there data is perfectly linearised.

The failure was noticed through a kernel bug Oops generated by the
skb_pull inside eth_type_trans.

Reported-by: Rafal Lesniak <lesniak@eresi-project.org>
Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
Signed-off-by: Sven Eckelmann <sven.eckelmann@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

1 files changed, 4 insertions, 0 deletions

diff --git a/drivers/staging/batman-adv/soft-interface.c b/drivers/staging/batman-adv/soft-interface.c
index 2ea97de435ce..876be5a2913d 100644
--- a/drivers/staging/batman-adv/soft-interface.c
+++ b/drivers/staging/batman-adv/soft-interface.c
@@ -246,6 +246,10 @@ void interface_rx(struct sk_buff *skb, int hdr_size)
 	skb_pull_rcsum(skb, hdr_size);
 /*	skb_set_mac_header(skb, -sizeof(struct ethhdr));*/
 
+	if (unlikely(!pskb_may_pull(skb, ETH_HLEN))) {
+		kfree_skb(skb);
+		return;
+	}
 	skb->dev = dev;
 	skb->protocol = eth_type_trans(skb, dev);