From patchwork Mon Aug  5 22:32:05 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?q?Linus_L=C3=BCssing?= <linus.luessing@web.de>
X-Patchwork-Id: 264817
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id A940C2C007A
	for <patchwork-incoming@ozlabs.org>;
	Tue,  6 Aug 2013 08:32:37 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755563Ab3HEWcV (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Mon, 5 Aug 2013 18:32:21 -0400
Received: from mout.web.de ([212.227.17.11]:50865 "EHLO mout.web.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1755130Ab3HEWcU (ORCPT <rfc822;netdev@vger.kernel.org>);
	Mon, 5 Aug 2013 18:32:20 -0400
Received: from localhost ([95.211.10.3]) by smtp.web.de (mrweb102) with
	ESMTPSA (Nemesis) id 0MfHfy-1VVJR305gQ-00Ol0b for
	<netdev@vger.kernel.org>; Tue, 06 Aug 2013 00:32:18 +0200
From: =?UTF-8?q?Linus=20L=C3=BCssing?= <linus.luessing@web.de>
To: bridge@lists.linux-foundation.org
Cc: Stephen Hemminger <stephen@networkplumber.org>,
	"David S. Miller" <davem@davemloft.net>, netdev@vger.kernel.org,
	linux-kernel@vger.kernel.org, Herbert Xu <herbert@gondor.apana.org.au>,
	Cong Wang <amwang@redhat.com>, Adam Baker <linux@baker-net.org.uk>,
	=?UTF-8?q?Linus=20L=C3=BCssing?= <linus.luessing@web.de>,
	Paul Bolle <pebolle@tiscali.nl>
Subject: [PATCH] bridge: don't try to update timers in case of broken MLD
	queries
Date: Tue,  6 Aug 2013 00:32:05 +0200
Message-Id: <1375741925-22179-1-git-send-email-linus.luessing@web.de>
X-Mailer: git-send-email 1.8.3.2
MIME-Version: 1.0
X-Provags-ID: V03:K0:ICoMiLGehGe3J0yQuhxfs7IRRe32i94ee4huzG6XFdt3KxVVWYF
	L7KWa5KOEco7jNq873uCy6YbguNr01PhHlqRBmGhsfr3szoxeBdjTR21xhvjBropY4clyLO
	1Ieh91xXTDN6YIcNSiYg6TxSB12xza/uUYhRX2yqFggGFG4GAng2lmvMNRmx8bYGe+qf680
	pMShuIM57KqTiGo+6HPgA==
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Currently we are reading an uninitialized value for the max_delay
variable when snooping an MLD query message of invalid length and would
update our timers with that.

Fixing this by simply ignoring such broken MLD queries (just like we do
for IGMP already).

This is a regression introduced by:
"bridge: disable snooping if there is no querier" (b00589af3b04)

Reported-by: Paul Bolle <pebolle@tiscali.nl>
Signed-off-by: Linus Lüssing <linus.luessing@web.de>
---
 net/bridge/br_multicast.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c
index 61c5e81..08e576a 100644
--- a/net/bridge/br_multicast.c
+++ b/net/bridge/br_multicast.c
@@ -1195,7 +1195,7 @@ static int br_ip6_multicast_query(struct net_bridge *br,
 		max_delay = msecs_to_jiffies(ntohs(mld->mld_maxdelay));
 		if (max_delay)
 			group = &mld->mld_mca;
-	} else if (skb->len >= sizeof(*mld2q)) {
+	} else {
 		if (!pskb_may_pull(skb, sizeof(*mld2q))) {
 			err = -EINVAL;
 			goto out;