git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Ruide Cao <caoruide123@gmail.com>
	Wed, 13 May 2026 03:58:15 +0000 (11:58 +0800)
committer	Sven Eckelmann <sven@narfation.org>
	Thu, 14 May 2026 16:33:29 +0000 (18:33 +0200)
commit	9cd3f16c320bfdadd4509358122368deb56a5741
tree	8da2b1b055da64530b6587ce289d239480426fe6	tree \| snapshot
parent	99d9958fa10fb684b2a8e2c48a8d704122721420	commit \| diff

batman-adv: fix fragment reassembly length accounting

batman-adv keeps a running payload length for queued fragments and uses it
to validate a fragment chain before reassembly.

That accounting currently allows the accumulated fragment length to be
truncated during updates. As a result, malformed fragment chains can
bypass the intended validation and drive reassembly with inconsistent
length state, leading to a local denial of service.

Fix the accounting by storing the accumulated length in a length-typed
field and rejecting update overflows before the existing validation logic
runs.

The fix was verified against the original reproducer and against valid
fragment reassembly paths.

Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Ruide Cao <caoruide123@gmail.com>
Tested-by: Ren Wei <enjou1224z@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Sven Eckelmann <sven@narfation.org>

net/batman-adv/fragmentation.c		diff \| blob \| blame \| history
net/batman-adv/types.h		diff \| blob \| blame \| history