From: Sven Eckelmann Date: Thu, 11 Jun 2026 20:14:54 +0000 (+0200) Subject: batman-adv: frag: avoid underflow of TTL X-Git-Tag: v7.2-rc1~29^2~75^2~10 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=493d9d2528e1a09b090e4b37f0f553def7bd5ce9;p=thirdparty%2Fkernel%2Flinux.git batman-adv: frag: avoid underflow of TTL Packets with a TTL are using it to limit the amount of time this packet can be forwarded. But for batadv_frag_packet, the TTL was always only reduced but it was never evaluated. It could even underflow without any effect. Check the TTL in batadv_frag_skb_fwd() before attempting to prepare it for forwarding. This keeps it in sync with the not fragmented unicast packet. Cc: stable@kernel.org Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge") Signed-off-by: Sven Eckelmann --- diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c index f311a42203d2e..8a006a0473a87 100644 --- a/net/batman-adv/fragmentation.c +++ b/net/batman-adv/fragmentation.c @@ -417,6 +417,13 @@ bool batadv_frag_skb_fwd(struct sk_buff *skb, */ total_size = ntohs(packet->total_size); if (total_size > neigh_node->if_incoming->net_dev->mtu) { + if (packet->ttl < 2) { + kfree_skb(skb); + *rx_result = NET_RX_DROP; + ret = true; + goto out; + } + if (skb_cow(skb, ETH_HLEN) < 0) { kfree_skb(skb); *rx_result = NET_RX_DROP;