]> git.ipfire.org Git - thirdparty/kernel/linux.git/commit
batman-adv: tt: prevent TVLV OOB check overflow
authorSven Eckelmann <sven@narfation.org>
Fri, 3 Jul 2026 20:27:13 +0000 (22:27 +0200)
committerSven Eckelmann <sven@narfation.org>
Mon, 6 Jul 2026 05:18:58 +0000 (07:18 +0200)
commit7a581d9aaba8c82bd6177fa36b2588eea77f6e2b
treedaba2de987047213fada562c1e694da2a0c7cb59
parent27c7d40008231ae4140d35501b60087a9de2d2c3
batman-adv: tt: prevent TVLV OOB check overflow

A TT unicast TVLV contains the number of VLANs stored in it. This number is
an u16 and gets multiplied by the size of the struct
batadv_tvlv_tt_vlan_data (8 bytes). The size can therefore overflow the u16
used to store the tt_vlan_len. All additional safety checks to prevent
out-of-bounds access of the TVLV buffer are invalid due to this overflow.

Using size_t prevents this overflow and ensures that the safety checks
compare against the actual buffer requirements.

Cc: stable@vger.kernel.org
Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific")
Signed-off-by: Sven Eckelmann <sven@narfation.org>
net/batman-adv/translation-table.c