+From e56c79f4e863436d0fc6c48fed0db09b7a49e565 Mon Sep 17 00:00:00 2001
+From: Marek Lindner <lindner_marek@yahoo.de>
+Date: Mon, 4 Mar 2013 10:39:49 +0800
+Subject: [PATCH] batman-adv: verify tt len does not exceed packet len
+
+batadv_iv_ogm_process() accesses the packet using the tt_num_changes
+attribute regardless of the real packet len (assuming the length check
+was done before). Therefore a length check is needed to avoid reading
+random memory.
+
+Signed-off-by: Marek Lindner <lindner_marek@yahoo.de>
+---
+ bat_iv_ogm.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/bat_iv_ogm.c b/bat_iv_ogm.c
+index 72fe1bb..d5be889 100644
+--- a/bat_iv_ogm.c
++++ b/bat_iv_ogm.c
+@@ -1292,7 +1292,8 @@ static int batadv_iv_ogm_receive(struct sk_buff *skb,
+ batadv_ogm_packet = (struct batadv_ogm_packet *)packet_buff;
+
+ /* unpack the aggregated packets and process them one by one */
+- do {
++ while (batadv_iv_ogm_aggr_packet(buff_pos, packet_len,
++ batadv_ogm_packet->tt_num_changes)) {
+ tt_buff = packet_buff + buff_pos + BATADV_OGM_HLEN;
+
+ batadv_iv_ogm_process(ethhdr, batadv_ogm_packet, tt_buff,
+@@ -1303,8 +1304,7 @@ static int batadv_iv_ogm_receive(struct sk_buff *skb,
+
+ packet_pos = packet_buff + buff_pos;
+ batadv_ogm_packet = (struct batadv_ogm_packet *)packet_pos;
+- } while (batadv_iv_ogm_aggr_packet(buff_pos, packet_len,
+- batadv_ogm_packet->tt_num_changes));
++ }
+
+ kfree_skb(skb);
+ return NET_RX_SUCCESS;
+--
+1.7.10.4
+