batman-adv: tvlv: abort OGM send on tvlv append failure

batadv_tvlv_container_ogm_append() could fail in two ways: a memory
allocation failure when resizing the packet buffer, or the tvlv data
exceeding U16_MAX bytes. In both cases the function previously returned the
old (now stale) tvlv_value_len rather than signalling an error, causing the
OGM/OGM2 send path to transmit a packet whose TVLV length field no longer
matched the actual buffer contents. And because it also didn't fill in the
new TVLV data, sending either uninitialized or corrupted data on the wire.

All errors in batadv_tvlv_container_ogm_append() must be forwarded to the
caller. And the caller must abort the send of the OGM2. For B.A.T.M.A.N.
IV, it is currently not allowed to abort the send. The non-TVLV part of the
OGM must be queued up instead.

Cc: stable@kernel.org
Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure")
Signed-off-by: Sven Eckelmann <sven@narfation.org>

diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index 74ef7dc2b2f981061fbe3c76a3f8c4aa2b07d320..7ad26128b5f7cafa277f1e737c16ba3422664c55 100644 (file)
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -790,6 +790,7 @@ static void batadv_iv_ogm_schedule_buff(struct batadv_hard_iface *hard_iface)
        u32 seqno;
        u16 tvlv_len = 0;
        unsigned long send_time;
+       int ret;
 
        lockdep_assert_held(&hard_iface->bat_iv.ogm_buff_mutex);
 
@@ -813,9 +814,18 @@ static void batadv_iv_ogm_schedule_buff(struct batadv_hard_iface *hard_iface)
                 * appended as it may alter the tt tvlv container
                 */
                batadv_tt_local_commit_changes(bat_priv);
-               tvlv_len = batadv_tvlv_container_ogm_append(bat_priv, ogm_buff,
-                                                           ogm_buff_len,
-                                                           BATADV_OGM_HLEN);
+               ret = batadv_tvlv_container_ogm_append(bat_priv, ogm_buff,
+                                                      ogm_buff_len,
+                                                      BATADV_OGM_HLEN);
+               if (ret < 0) {
+                       /* OGMs must be queued even when the buffer allocation for
+                        * TVLVs failed. just fall back to the non-TVLV version
+                        */
+                       ret = 0;
+                       *ogm_buff_len = BATADV_OGM_HLEN;
+               }
+
+               tvlv_len = ret;
        }
 
        batadv_ogm_packet = (struct batadv_ogm_packet *)(*ogm_buff);

diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c
index e955b4940c728380eff79c6f9e2e4861965768df..d66ca77b1aaa3cea37f40bcccd2535d57927bbca 100644 (file)
--- a/net/batman-adv/bat_v_ogm.c
+++ b/net/batman-adv/bat_v_ogm.c
@@ -269,10 +269,10 @@ static void batadv_v_ogm_send_meshif(struct batadv_priv *bat_priv)
        struct batadv_hard_iface *hard_iface;
        struct batadv_ogm2_packet *ogm_packet;
        struct sk_buff *skb, *skb_tmp;
-       unsigned char *ogm_buff;
+       unsigned char **ogm_buff;
        struct list_head *iter;
-       int ogm_buff_len;
-       u16 tvlv_len = 0;
+       int *ogm_buff_len;
+       u16 tvlv_len;
        int ret;
 
        lockdep_assert_held(&bat_priv->bat_v.ogm_buff_mutex);
@@ -280,25 +280,27 @@ static void batadv_v_ogm_send_meshif(struct batadv_priv *bat_priv)
        if (atomic_read(&bat_priv->mesh_state) == BATADV_MESH_DEACTIVATING)
                goto out;
 
-       ogm_buff = bat_priv->bat_v.ogm_buff;
-       ogm_buff_len = bat_priv->bat_v.ogm_buff_len;
+       ogm_buff = &bat_priv->bat_v.ogm_buff;
+       ogm_buff_len = &bat_priv->bat_v.ogm_buff_len;
+
        /* tt changes have to be committed before the tvlv data is
         * appended as it may alter the tt tvlv container
         */
        batadv_tt_local_commit_changes(bat_priv);
-       tvlv_len = batadv_tvlv_container_ogm_append(bat_priv, &ogm_buff,
-                                                   &ogm_buff_len,
-                                                   BATADV_OGM2_HLEN);
+       ret = batadv_tvlv_container_ogm_append(bat_priv, ogm_buff,
+                                              ogm_buff_len,
+                                              BATADV_OGM2_HLEN);
+       if (ret < 0)
+               goto reschedule;
 
-       bat_priv->bat_v.ogm_buff = ogm_buff;
-       bat_priv->bat_v.ogm_buff_len = ogm_buff_len;
+       tvlv_len = ret;
 
-       skb = netdev_alloc_skb_ip_align(NULL, ETH_HLEN + ogm_buff_len);
+       skb = netdev_alloc_skb_ip_align(NULL, ETH_HLEN + *ogm_buff_len);
        if (!skb)
                goto reschedule;
 
        skb_reserve(skb, ETH_HLEN);
-       skb_put_data(skb, ogm_buff, ogm_buff_len);
+       skb_put_data(skb, *ogm_buff, *ogm_buff_len);
 
        ogm_packet = (struct batadv_ogm2_packet *)skb->data;
        ogm_packet->seqno = htonl(atomic_read(&bat_priv->bat_v.ogm_seqno));

diff --git a/net/batman-adv/tvlv.c b/net/batman-adv/tvlv.c
index 8129a3f9c44d018fc4c5970c3e5c7347bbe28679..46ed61dbf08795537532e5f279a0f0bc58307164 100644 (file)
--- a/net/batman-adv/tvlv.c
+++ b/net/batman-adv/tvlv.c
@@ -8,6 +8,7 @@
 
 #include <linux/byteorder/generic.h>
 #include <linux/container_of.h>
+#include <linux/errno.h>
 #include <linux/etherdevice.h>
 #include <linux/gfp.h>
 #include <linux/if_ether.h>
@@ -306,9 +307,10 @@ static bool batadv_tvlv_realloc_packet_buff(unsigned char **packet_buff,
  * The ogm packet might be enlarged or shrunk depending on the current size
  * and the size of the to-be-appended tvlv containers.
  *
- * Return: size of all appended tvlv containers in bytes.
+ * Return: size of all appended tvlv containers in bytes (max U16_MAX), negative
+ *  if operation failed
  */
-u16 batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
+int batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
                                     unsigned char **packet_buff,
                                     int *packet_buff_len, int packet_min_len)
 {
@@ -316,6 +318,7 @@ u16 batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
        struct batadv_tvlv_hdr *tvlv_hdr;
        u16 tvlv_value_len;
        void *tvlv_value;
+       int tvlv_len_ret;
        bool ret;
 
        spin_lock_bh(&bat_priv->tvlv.container_list_lock);
@@ -323,9 +326,12 @@ u16 batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
 
        ret = batadv_tvlv_realloc_packet_buff(packet_buff, packet_buff_len,
                                              packet_min_len, tvlv_value_len);
-
-       if (!ret)
+       if (!ret) {
+               tvlv_len_ret = -ENOMEM;
                goto end;
+       }
+
+       tvlv_len_ret = tvlv_value_len;
 
        if (!tvlv_value_len)
                goto end;
@@ -344,7 +350,8 @@ u16 batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
 
 end:
        spin_unlock_bh(&bat_priv->tvlv.container_list_lock);
-       return tvlv_value_len;
+
+       return tvlv_len_ret;
 }
 
 /**

diff --git a/net/batman-adv/tvlv.h b/net/batman-adv/tvlv.h
index e5697230d99173d14fba7b6d555c7a8b29b6a69a..f96f6b3f44a001ed6595441e50d1c391db869885 100644 (file)
--- a/net/batman-adv/tvlv.h
+++ b/net/batman-adv/tvlv.h
@@ -16,7 +16,7 @@
 void batadv_tvlv_container_register(struct batadv_priv *bat_priv,
                                    u8 type, u8 version,
                                    void *tvlv_value, u16 tvlv_value_len);
-u16 batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
+int batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv,
                                     unsigned char **packet_buff,
                                     int *packet_buff_len, int packet_min_len);
 void batadv_tvlv_ogm_receive(struct batadv_priv *bat_priv,