batman-adv: Remove uninitialized data in full table TT response

[ Upstream commit 8038806db64da15721775d6b834990cacbfcf0b2 ]

The number of entries filled by batadv_tt_tvlv_generate() can be less
than initially expected in batadv_tt_prepare_tvlv_{global,local}_data()
(changes can be removed by batadv_tt_local_event() in ADD+DEL sequence
in the meantime as the lock held during the whole tvlv global/local data
generation).

Thus tvlv_len could be bigger than the actual TT entry size that need
to be sent so full table TT_RESPONSE could hold invalid TT entries such
as below.

 * 00:00:00:00:00:00   -1 [....] (  0) 88:12:4e:ad:7e:ba (179) (0x45845380)
 * 00:00:00:00:78:79 4092 [.W..] (  0) 88:12:4e:ad:7e:3c (145) (0x8ebadb8b)

Remove the extra allocated space to avoid sending uninitialized entries
for full table TT_RESPONSE in both batadv_send_other_tt_response() and
batadv_send_my_tt_response().

Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific")
Signed-off-by: Remi Pommarel <repk@triplefau.lt>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index 1eb3562259be06f94e4d84825ff143331617c763..4eba6c8b04a8a954a84308186e522d6af6f290bc 100644 (file)
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -2984,14 +2984,16 @@ static bool batadv_tt_global_valid(const void *entry_ptr,
  *
  * Fills the tvlv buff with the tt entries from the specified hash. If valid_cb
  * is not provided then this becomes a no-op.
+ *
+ * Return: Remaining unused length in tvlv_buff.
  */
-static void batadv_tt_tvlv_generate(struct batadv_priv *bat_priv,
-                                   struct batadv_hashtable *hash,
-                                   void *tvlv_buff, u16 tt_len,
-                                   bool (*valid_cb)(const void *,
-                                                    const void *,
-                                                    u8 *flags),
-                                   void *cb_data)
+static u16 batadv_tt_tvlv_generate(struct batadv_priv *bat_priv,
+                                  struct batadv_hashtable *hash,
+                                  void *tvlv_buff, u16 tt_len,
+                                  bool (*valid_cb)(const void *,
+                                                   const void *,
+                                                   u8 *flags),
+                                  void *cb_data)
 {
        struct batadv_tt_common_entry *tt_common_entry;
        struct batadv_tvlv_tt_change *tt_change;
@@ -3005,7 +3007,7 @@ static void batadv_tt_tvlv_generate(struct batadv_priv *bat_priv,
        tt_change = (struct batadv_tvlv_tt_change *)tvlv_buff;
 
        if (!valid_cb)
-               return;
+               return tt_len;
 
        rcu_read_lock();
        for (i = 0; i < hash->size; i++) {
@@ -3031,6 +3033,8 @@ static void batadv_tt_tvlv_generate(struct batadv_priv *bat_priv,
                }
        }
        rcu_read_unlock();
+
+       return batadv_tt_len(tt_tot - tt_num_entries);
 }
 
 /**
@@ -3308,10 +3312,11 @@ static bool batadv_send_other_tt_response(struct batadv_priv *bat_priv,
                        goto out;
 
                /* fill the rest of the tvlv with the real TT entries */
-               batadv_tt_tvlv_generate(bat_priv, bat_priv->tt.global_hash,
-                                       tt_change, tt_len,
-                                       batadv_tt_global_valid,
-                                       req_dst_orig_node);
+               tvlv_len -= batadv_tt_tvlv_generate(bat_priv,
+                                                   bat_priv->tt.global_hash,
+                                                   tt_change, tt_len,
+                                                   batadv_tt_global_valid,
+                                                   req_dst_orig_node);
        }
 
        /* Don't send the response, if larger than fragmented packet. */
@@ -3437,9 +3442,11 @@ static bool batadv_send_my_tt_response(struct batadv_priv *bat_priv,
                        goto out;
 
                /* fill the rest of the tvlv with the real TT entries */
-               batadv_tt_tvlv_generate(bat_priv, bat_priv->tt.local_hash,
-                                       tt_change, tt_len,
-                                       batadv_tt_local_valid, NULL);
+               tvlv_len -= batadv_tt_tvlv_generate(bat_priv,
+                                                   bat_priv->tt.local_hash,
+                                                   tt_change, tt_len,
+                                                   batadv_tt_local_valid,
+                                                   NULL);
        }
 
        tvlv_tt_data->flags = BATADV_TT_RESPONSE;