]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
batman-adv: tt: prevent TVLV OOB check overflow
authorSven Eckelmann <sven@narfation.org>
Fri, 3 Jul 2026 20:27:13 +0000 (22:27 +0200)
committerSven Eckelmann <sven@narfation.org>
Mon, 6 Jul 2026 05:18:58 +0000 (07:18 +0200)
A TT unicast TVLV contains the number of VLANs stored in it. This number is
an u16 and gets multiplied by the size of the struct
batadv_tvlv_tt_vlan_data (8 bytes). The size can therefore overflow the u16
used to store the tt_vlan_len. All additional safety checks to prevent
out-of-bounds access of the TVLV buffer are invalid due to this overflow.

Using size_t prevents this overflow and ensures that the safety checks
compare against the actual buffer requirements.

Cc: stable@vger.kernel.org
Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
net/batman-adv/translation-table.c

index aae72015645a467144c3f9136fbbbdd686e1b08b..dae5e1d8c03859f8149a2ec534e06cafeeed0860 100644 (file)
@@ -4033,7 +4033,8 @@ static int batadv_tt_tvlv_unicast_handler_v1(struct batadv_priv *bat_priv,
                                             u16 tvlv_value_len)
 {
        struct batadv_tvlv_tt_data *tt_data;
-       u16 tt_vlan_len, tt_num_entries;
+       u16 tt_num_entries;
+       size_t tt_vlan_len;
        char tt_flag;
        bool ret;