From: Sven Eckelmann Date: Fri, 3 Jul 2026 20:27:13 +0000 (+0200) Subject: batman-adv: tt: prevent TVLV OOB check overflow X-Git-Tag: v7.2-rc3~29^2~6^2~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7a581d9aaba8c82bd6177fa36b2588eea77f6e2b;p=thirdparty%2Fkernel%2Flinux.git batman-adv: tt: prevent TVLV OOB check overflow A TT unicast TVLV contains the number of VLANs stored in it. This number is an u16 and gets multiplied by the size of the struct batadv_tvlv_tt_vlan_data (8 bytes). The size can therefore overflow the u16 used to store the tt_vlan_len. All additional safety checks to prevent out-of-bounds access of the TVLV buffer are invalid due to this overflow. Using size_t prevents this overflow and ensures that the safety checks compare against the actual buffer requirements. Cc: stable@vger.kernel.org Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific") Signed-off-by: Sven Eckelmann --- diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c index aae72015645a..dae5e1d8c038 100644 --- a/net/batman-adv/translation-table.c +++ b/net/batman-adv/translation-table.c @@ -4033,7 +4033,8 @@ static int batadv_tt_tvlv_unicast_handler_v1(struct batadv_priv *bat_priv, u16 tvlv_value_len) { struct batadv_tvlv_tt_data *tt_data; - u16 tt_vlan_len, tt_num_entries; + u16 tt_num_entries; + size_t tt_vlan_len; char tt_flag; bool ret;