Avoid reading past buffer when calling GETACL
[zen-stable.git] / net / batman-adv / icmp_socket.c
blobd9c1e7bb7fbfa4ba6d5d579bfe1b266cbab65052
1 /*
2 * Copyright (C) 2007-2011 B.A.T.M.A.N. contributors:
4 * Marek Lindner
6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of version 2 of the GNU General Public
8 * License as published by the Free Software Foundation.
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of
12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
13 * General Public License for more details.
15 * You should have received a copy of the GNU General Public License
16 * along with this program; if not, write to the Free Software
17 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
18 * 02110-1301, USA
22 #include "main.h"
23 #include <linux/debugfs.h>
24 #include <linux/slab.h>
25 #include "icmp_socket.h"
26 #include "send.h"
27 #include "hash.h"
28 #include "originator.h"
29 #include "hard-interface.h"
31 static struct socket_client *socket_client_hash[256];
33 static void bat_socket_add_packet(struct socket_client *socket_client,
34 struct icmp_packet_rr *icmp_packet,
35 size_t icmp_len);
37 void bat_socket_init(void)
39 memset(socket_client_hash, 0, sizeof(socket_client_hash));
42 static int bat_socket_open(struct inode *inode, struct file *file)
44 unsigned int i;
45 struct socket_client *socket_client;
47 nonseekable_open(inode, file);
49 socket_client = kmalloc(sizeof(*socket_client), GFP_KERNEL);
51 if (!socket_client)
52 return -ENOMEM;
54 for (i = 0; i < ARRAY_SIZE(socket_client_hash); i++) {
55 if (!socket_client_hash[i]) {
56 socket_client_hash[i] = socket_client;
57 break;
61 if (i == ARRAY_SIZE(socket_client_hash)) {
62 pr_err("Error - can't add another packet client: "
63 "maximum number of clients reached\n");
64 kfree(socket_client);
65 return -EXFULL;
68 INIT_LIST_HEAD(&socket_client->queue_list);
69 socket_client->queue_len = 0;
70 socket_client->index = i;
71 socket_client->bat_priv = inode->i_private;
72 spin_lock_init(&socket_client->lock);
73 init_waitqueue_head(&socket_client->queue_wait);
75 file->private_data = socket_client;
77 inc_module_count();
78 return 0;
81 static int bat_socket_release(struct inode *inode, struct file *file)
83 struct socket_client *socket_client = file->private_data;
84 struct socket_packet *socket_packet;
85 struct list_head *list_pos, *list_pos_tmp;
87 spin_lock_bh(&socket_client->lock);
89 /* for all packets in the queue ... */
90 list_for_each_safe(list_pos, list_pos_tmp, &socket_client->queue_list) {
91 socket_packet = list_entry(list_pos,
92 struct socket_packet, list);
94 list_del(list_pos);
95 kfree(socket_packet);
98 socket_client_hash[socket_client->index] = NULL;
99 spin_unlock_bh(&socket_client->lock);
101 kfree(socket_client);
102 dec_module_count();
104 return 0;
107 static ssize_t bat_socket_read(struct file *file, char __user *buf,
108 size_t count, loff_t *ppos)
110 struct socket_client *socket_client = file->private_data;
111 struct socket_packet *socket_packet;
112 size_t packet_len;
113 int error;
115 if ((file->f_flags & O_NONBLOCK) && (socket_client->queue_len == 0))
116 return -EAGAIN;
118 if ((!buf) || (count < sizeof(struct icmp_packet)))
119 return -EINVAL;
121 if (!access_ok(VERIFY_WRITE, buf, count))
122 return -EFAULT;
124 error = wait_event_interruptible(socket_client->queue_wait,
125 socket_client->queue_len);
127 if (error)
128 return error;
130 spin_lock_bh(&socket_client->lock);
132 socket_packet = list_first_entry(&socket_client->queue_list,
133 struct socket_packet, list);
134 list_del(&socket_packet->list);
135 socket_client->queue_len--;
137 spin_unlock_bh(&socket_client->lock);
139 packet_len = min(count, socket_packet->icmp_len);
140 error = copy_to_user(buf, &socket_packet->icmp_packet, packet_len);
142 kfree(socket_packet);
144 if (error)
145 return -EFAULT;
147 return packet_len;
150 static ssize_t bat_socket_write(struct file *file, const char __user *buff,
151 size_t len, loff_t *off)
153 struct socket_client *socket_client = file->private_data;
154 struct bat_priv *bat_priv = socket_client->bat_priv;
155 struct hard_iface *primary_if = NULL;
156 struct sk_buff *skb;
157 struct icmp_packet_rr *icmp_packet;
159 struct orig_node *orig_node = NULL;
160 struct neigh_node *neigh_node = NULL;
161 size_t packet_len = sizeof(struct icmp_packet);
163 if (len < sizeof(struct icmp_packet)) {
164 bat_dbg(DBG_BATMAN, bat_priv,
165 "Error - can't send packet from char device: "
166 "invalid packet size\n");
167 return -EINVAL;
170 primary_if = primary_if_get_selected(bat_priv);
172 if (!primary_if) {
173 len = -EFAULT;
174 goto out;
177 if (len >= sizeof(struct icmp_packet_rr))
178 packet_len = sizeof(struct icmp_packet_rr);
180 skb = dev_alloc_skb(packet_len + sizeof(struct ethhdr));
181 if (!skb) {
182 len = -ENOMEM;
183 goto out;
186 skb_reserve(skb, sizeof(struct ethhdr));
187 icmp_packet = (struct icmp_packet_rr *)skb_put(skb, packet_len);
189 if (copy_from_user(icmp_packet, buff, packet_len)) {
190 len = -EFAULT;
191 goto free_skb;
194 if (icmp_packet->packet_type != BAT_ICMP) {
195 bat_dbg(DBG_BATMAN, bat_priv,
196 "Error - can't send packet from char device: "
197 "got bogus packet type (expected: BAT_ICMP)\n");
198 len = -EINVAL;
199 goto free_skb;
202 if (icmp_packet->msg_type != ECHO_REQUEST) {
203 bat_dbg(DBG_BATMAN, bat_priv,
204 "Error - can't send packet from char device: "
205 "got bogus message type (expected: ECHO_REQUEST)\n");
206 len = -EINVAL;
207 goto free_skb;
210 icmp_packet->uid = socket_client->index;
212 if (icmp_packet->version != COMPAT_VERSION) {
213 icmp_packet->msg_type = PARAMETER_PROBLEM;
214 icmp_packet->version = COMPAT_VERSION;
215 bat_socket_add_packet(socket_client, icmp_packet, packet_len);
216 goto free_skb;
219 if (atomic_read(&bat_priv->mesh_state) != MESH_ACTIVE)
220 goto dst_unreach;
222 orig_node = orig_hash_find(bat_priv, icmp_packet->dst);
223 if (!orig_node)
224 goto dst_unreach;
226 neigh_node = orig_node_get_router(orig_node);
227 if (!neigh_node)
228 goto dst_unreach;
230 if (!neigh_node->if_incoming)
231 goto dst_unreach;
233 if (neigh_node->if_incoming->if_status != IF_ACTIVE)
234 goto dst_unreach;
236 memcpy(icmp_packet->orig,
237 primary_if->net_dev->dev_addr, ETH_ALEN);
239 if (packet_len == sizeof(struct icmp_packet_rr))
240 memcpy(icmp_packet->rr,
241 neigh_node->if_incoming->net_dev->dev_addr, ETH_ALEN);
243 send_skb_packet(skb, neigh_node->if_incoming, neigh_node->addr);
244 goto out;
246 dst_unreach:
247 icmp_packet->msg_type = DESTINATION_UNREACHABLE;
248 bat_socket_add_packet(socket_client, icmp_packet, packet_len);
249 free_skb:
250 kfree_skb(skb);
251 out:
252 if (primary_if)
253 hardif_free_ref(primary_if);
254 if (neigh_node)
255 neigh_node_free_ref(neigh_node);
256 if (orig_node)
257 orig_node_free_ref(orig_node);
258 return len;
261 static unsigned int bat_socket_poll(struct file *file, poll_table *wait)
263 struct socket_client *socket_client = file->private_data;
265 poll_wait(file, &socket_client->queue_wait, wait);
267 if (socket_client->queue_len > 0)
268 return POLLIN | POLLRDNORM;
270 return 0;
273 static const struct file_operations fops = {
274 .owner = THIS_MODULE,
275 .open = bat_socket_open,
276 .release = bat_socket_release,
277 .read = bat_socket_read,
278 .write = bat_socket_write,
279 .poll = bat_socket_poll,
280 .llseek = no_llseek,
283 int bat_socket_setup(struct bat_priv *bat_priv)
285 struct dentry *d;
287 if (!bat_priv->debug_dir)
288 goto err;
290 d = debugfs_create_file(ICMP_SOCKET, S_IFREG | S_IWUSR | S_IRUSR,
291 bat_priv->debug_dir, bat_priv, &fops);
292 if (d)
293 goto err;
295 return 0;
297 err:
298 return 1;
301 static void bat_socket_add_packet(struct socket_client *socket_client,
302 struct icmp_packet_rr *icmp_packet,
303 size_t icmp_len)
305 struct socket_packet *socket_packet;
307 socket_packet = kmalloc(sizeof(*socket_packet), GFP_ATOMIC);
309 if (!socket_packet)
310 return;
312 INIT_LIST_HEAD(&socket_packet->list);
313 memcpy(&socket_packet->icmp_packet, icmp_packet, icmp_len);
314 socket_packet->icmp_len = icmp_len;
316 spin_lock_bh(&socket_client->lock);
318 /* while waiting for the lock the socket_client could have been
319 * deleted */
320 if (!socket_client_hash[icmp_packet->uid]) {
321 spin_unlock_bh(&socket_client->lock);
322 kfree(socket_packet);
323 return;
326 list_add_tail(&socket_packet->list, &socket_client->queue_list);
327 socket_client->queue_len++;
329 if (socket_client->queue_len > 100) {
330 socket_packet = list_first_entry(&socket_client->queue_list,
331 struct socket_packet, list);
333 list_del(&socket_packet->list);
334 kfree(socket_packet);
335 socket_client->queue_len--;
338 spin_unlock_bh(&socket_client->lock);
340 wake_up(&socket_client->queue_wait);
343 void bat_socket_receive_packet(struct icmp_packet_rr *icmp_packet,
344 size_t icmp_len)
346 struct socket_client *hash = socket_client_hash[icmp_packet->uid];
348 if (hash)
349 bat_socket_add_packet(hash, icmp_packet, icmp_len);