From patchwork Fri Apr 20 18:54:13 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexander Aring <aring@mojatatu.com>
X-Patchwork-Id: 10353519
Return-Path: <linux-wpan-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	EAEA3602B1 for <patchwork-linux-wpan@patchwork.kernel.org>;
	Fri, 20 Apr 2018 18:54:36 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DB6D02880F
	for <patchwork-linux-wpan@patchwork.kernel.org>;
	Fri, 20 Apr 2018 18:54:36 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id D01342884F; Fri, 20 Apr 2018 18:54:36 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI,
	T_DKIM_INVALID autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 30C862880F
	for <patchwork-linux-wpan@patchwork.kernel.org>;
	Fri, 20 Apr 2018 18:54:36 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1750818AbeDTSyf (ORCPT
	<rfc822;patchwork-linux-wpan@patchwork.kernel.org>);
	Fri, 20 Apr 2018 14:54:35 -0400
Received: from mail-io0-f196.google.com ([209.85.223.196]:43133 "EHLO
	mail-io0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750745AbeDTSyf (ORCPT
	<rfc822; linux-wpan@vger.kernel.org>); Fri, 20 Apr 2018 14:54:35 -0400
Received: by mail-io0-f196.google.com with SMTP id q84-v6so11645661iod.10
	for <linux-wpan@vger.kernel.org>;
	Fri, 20 Apr 2018 11:54:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=mojatatu-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id;
	bh=hmr3cvvIXnsqJ260DIwOJQF5Pq2jwfdeFgq3ciYaAKc=;
	b=WBNwLsjWvS/H6Tows7yHvCKHwmrRWMq8uHRR07K5bx5gCnfV3XJNDxAA7LH7cDxMpO
	4lTX/Ctgz5XXupI9jF4POgsXvRZgjd+h35s0DCe7WTjlf5CpqK/GPF4ER/JkUY9WgvpU
	pnVx+dKrq2ahGVZUtCoFqYZFkZ31MfQAXwjHhEyCIuMZ8zniguv708KNjCHTnGTbcYt1
	Br2KLzfjkpTjuCIc6MNekJ4mxmKI7bIt6FDLvfQQ3wAy5Y0+dNmbZ/69ZptKxLoPu1s8
	wzKpibTI/WyLWiUJGX0VAu8XmAVb/BEA4WvOQliAp8Ugy/fbcNBLHO9gX7rSE7cE7gZY
	oIHg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=hmr3cvvIXnsqJ260DIwOJQF5Pq2jwfdeFgq3ciYaAKc=;
	b=QLeH6kvEHMmxXYpEYUWGIyjFCe1nfvkwmLPbyvkeK2I9UoAdto1+Dgv0ppWJm/O3eR
	cqlv7HksvKowjh1CWfHqMY+HMeiKmPov6RU4rgmlvgsA5SA0XUvrkkB8YilqqYaVRo6U
	uNU02yXtEzxC2BMdSG5PLbmuqGdtUGdtcoIPes7rxXDwpXpBM2g+vVLud6mhNk3o40PN
	x0QfmMRKSwsHAGkDXrLWDGT2h5rZMkzMeQEnCGWjjIsvQEYMzP01sJ/ULck0c6A9wz84
	PL53MZ53TfrI34h7bqzUcO7+oxhLsyrHc5k6Y0q+bYVn1MWFy+3COIQVFi3dv/NlPedq
	sDFw==
X-Gm-Message-State: ALQs6tCT+xODviljL9SPfc7AGKTN6w33NL2hs8buA1Vkv/jXWuFc/1gR
	cejZTswR7rpH9NbRjwX9EuCUowZC
X-Google-Smtp-Source: 
 AB8JxZqHZ/MEHtI1SnA3dJWVdlpjvvybawoYhSmETJ90B3P5/eHpkUa9zrsx+mvX4RsMe5uwu/Hljg==
X-Received: by 2002:a6b:91d6:: with SMTP id
	t205-v6mr12578765iod.164.1524250474537;
	Fri, 20 Apr 2018 11:54:34 -0700 (PDT)
Received: from x220t.lan ([64.26.149.125]) by smtp.gmail.com with ESMTPSA id
	72-v6sm1131366itf.10.2018.04.20.11.54.33
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Fri, 20 Apr 2018 11:54:34 -0700 (PDT)
From: Alexander Aring <aring@mojatatu.com>
To: stefan@osg.samsung.com
Cc: linux-wpan@vger.kernel.org, eric.dumazet@gmail.com,
	kernel@mojatatu.com, Alexander Aring <aring@mojatatu.com>
Subject: [PATCH wpan] net: ieee802154: 6lowpan: fix frag reassembly
Date: Fri, 20 Apr 2018 14:54:13 -0400
Message-Id: <20180420185413.8818-1-aring@mojatatu.com>
X-Mailer: git-send-email 2.11.0
Sender: linux-wpan-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-wpan.vger.kernel.org>
X-Mailing-List: linux-wpan@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

This patch initialize stack variables which are used in
frag_lowpan_compare_key to zero. In my case there are padding bytes in the
structures ieee802154_addr as well in frag_lowpan_compare_key. Otherwise
the key variable contains random bytes. The result is that a compare of
two keys by memcmp works incorrect.

Fixes: 648700f76b03 ("inet: frags: use rhashtables for reassembly units")
Signed-off-by: Alexander Aring <aring@mojatatu.com>
Reported-by: Stefan Schmidt <stefan@osg.samsung.com>
---
So far I see it's a case of 32 alignment in frag_v4_compare_key and
frag_v6_compare_key and I am not sure about if this works on all arch
correctly.

 net/ieee802154/6lowpan/6lowpan_i.h  |  4 ++--
 net/ieee802154/6lowpan/reassembly.c | 14 +++++++-------
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/net/ieee802154/6lowpan/6lowpan_i.h b/net/ieee802154/6lowpan/6lowpan_i.h
index b8d95cb71c25..44a7e16bf3b5 100644
--- a/net/ieee802154/6lowpan/6lowpan_i.h
+++ b/net/ieee802154/6lowpan/6lowpan_i.h
@@ -20,8 +20,8 @@ typedef unsigned __bitwise lowpan_rx_result;
 struct frag_lowpan_compare_key {
 	u16 tag;
 	u16 d_size;
-	const struct ieee802154_addr src;
-	const struct ieee802154_addr dst;
+	struct ieee802154_addr src;
+	struct ieee802154_addr dst;
 };
 
 /* Equivalent of ipv4 struct ipq
diff --git a/net/ieee802154/6lowpan/reassembly.c b/net/ieee802154/6lowpan/reassembly.c
index 1790b65944b3..2cc224106b69 100644
--- a/net/ieee802154/6lowpan/reassembly.c
+++ b/net/ieee802154/6lowpan/reassembly.c
@@ -75,14 +75,14 @@ fq_find(struct net *net, const struct lowpan_802154_cb *cb,
 {
 	struct netns_ieee802154_lowpan *ieee802154_lowpan =
 		net_ieee802154_lowpan(net);
-	struct frag_lowpan_compare_key key = {
-		.tag = cb->d_tag,
-		.d_size = cb->d_size,
-		.src = *src,
-		.dst = *dst,
-	};
+	struct frag_lowpan_compare_key key = {};
 	struct inet_frag_queue *q;
 
+	key.tag = cb->d_tag;
+	key.d_size = cb->d_size;
+	key.src = *src;
+	key.dst = *dst;
+
 	q = inet_frag_find(&ieee802154_lowpan->frags, &key);
 	if (!q)
 		return NULL;
@@ -372,7 +372,7 @@ int lowpan_frag_rcv(struct sk_buff *skb, u8 frag_type)
 	struct lowpan_frag_queue *fq;
 	struct net *net = dev_net(skb->dev);
 	struct lowpan_802154_cb *cb = lowpan_802154_cb(skb);
-	struct ieee802154_hdr hdr;
+	struct ieee802154_hdr hdr = {};
 	int err;
 
 	if (ieee802154_hdr_peek_addrs(skb, &hdr) < 0)