From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Yifan Wu <yifanwucs@gmail.com>,
Juefei Pu <tomapufckgml@gmail.com>,
Yuan Tan <yuantan098@gmail.com>, Xin Liu <bird@lzu.edu.cn>,
Ren Wei <enjou1224z@gmail.com>, Ruide Cao <caoruide123@gmail.com>,
Ren Wei <n05ec@lzu.edu.cn>, Sven Eckelmann <sven@narfation.org>,
Simon Wunderlich <sw@simonwunderlich.de>
Subject: [PATCH 6.1 43/55] batman-adv: reject oversized global TT response buffers
Date: Mon, 13 Apr 2026 18:01:17 +0200 [thread overview]
Message-ID: <20260413155726.440459258@linuxfoundation.org> (raw)
In-Reply-To: <20260413155724.820472494@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ruide Cao <caoruide123@gmail.com>
commit 3a359bf5c61d52e7f09754108309d637532164a6 upstream.
batadv_tt_prepare_tvlv_global_data() builds the allocation length for a
global TT response in 16-bit temporaries. When a remote originator
advertises a large enough global TT, the TT payload length plus the VLAN
header offset can exceed 65535 and wrap before kmalloc().
The full-table response path still uses the original TT payload length when
it fills tt_change, so the wrapped allocation is too small and
batadv_tt_prepare_tvlv_global_data() writes past the end of the heap object
before the later packet-size check runs.
Fix this by rejecting TT responses whose TVLV value length cannot fit in
the 16-bit TVLV payload length field.
Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific")
Cc: stable@vger.kernel.org
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Co-developed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Yuan Tan <yuantan098@gmail.com>
Suggested-by: Xin Liu <bird@lzu.edu.cn>
Tested-by: Ren Wei <enjou1224z@gmail.com>
Signed-off-by: Ruide Cao <caoruide123@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/translation-table.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -844,8 +844,8 @@ batadv_tt_prepare_tvlv_global_data(struc
{
u16 num_vlan = 0;
u16 num_entries = 0;
- u16 change_offset;
- u16 tvlv_len;
+ u16 tvlv_len = 0;
+ unsigned int change_offset;
struct batadv_tvlv_tt_vlan_data *tt_vlan;
struct batadv_orig_node_vlan *vlan;
u8 *tt_change_ptr;
@@ -863,6 +863,11 @@ batadv_tt_prepare_tvlv_global_data(struc
if (*tt_len < 0)
*tt_len = batadv_tt_len(num_entries);
+ if (change_offset > U16_MAX || *tt_len > U16_MAX - change_offset) {
+ *tt_len = 0;
+ goto out;
+ }
+
tvlv_len = *tt_len;
tvlv_len += change_offset;
next prev parent reply other threads:[~2026-04-13 16:17 UTC|newest]
Thread overview: 70+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-13 16:00 [PATCH 6.1 00/55] 6.1.169-rc1 review Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 01/55] lib/crypto: chacha: Zeroize permuted_state before it leaves scope Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 02/55] wifi: rt2x00usb: fix devres lifetime Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 03/55] xfrm_user: fix info leak in build_report() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 04/55] mptcp: fix slab-use-after-free in __inet_lookup_established Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 05/55] Input: uinput - fix circular locking dependency with ff-core Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 06/55] Input: uinput - take event lock when submitting FF request "event" Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 07/55] MIPS: Always record SEGBITS in cpu_data.vmbits Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 08/55] MIPS: mm: Suppress TLB uniquification on EHINV hardware Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 09/55] MIPS: mm: Rewrite TLB uniquification for the hidden bit feature Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 10/55] media: uvcvideo: Mark invalid entities with id UVC_INVALID_ENTITY_ID Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 11/55] media: uvcvideo: Use heuristic to find stream entity Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 12/55] apparmor: validate DFA start states are in bounds in unpack_pdb Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 13/55] apparmor: fix memory leak in verify_header Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 14/55] apparmor: replace recursive profile removal with iterative approach Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 15/55] apparmor: fix: limit the number of levels of policy namespaces Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 16/55] apparmor: fix side-effect bug in match_char() macro usage Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 17/55] apparmor: fix missing bounds check on DEFAULT table in verify_dfa() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 18/55] apparmor: Fix double free of ns_name in aa_replace_profiles() Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 19/55] apparmor: fix unprivileged local user can do privileged policy management Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 20/55] apparmor: fix differential encoding verification Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 21/55] apparmor: fix race on rawdata dereference Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 22/55] apparmor: fix race between freeing data and fs accessing it Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 23/55] usb: gadget: u_ether: Fix race between gether_disconnect and eth_stop Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 24/55] Revert "ACPI: EC: Evaluate orphan _REG under EC device" Greg Kroah-Hartman
2026-04-13 16:00 ` [PATCH 6.1 25/55] ACPICA: Add a depth argument to acpi_execute_reg_methods() Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 26/55] ACPI: EC: Evaluate _REG outside the EC scope more carefully Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 27/55] usb: gadget: f_hid: move list and spinlock inits from bind to alloc Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 28/55] rfkill: Use sysfs_emit() to instead of sprintf() Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 29/55] rfkill: sync before userspace visibility/changes Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 30/55] net: rfkill: reduce data->mtx scope in rfkill_fop_open Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 31/55] net: rfkill: prevent unlimited numbers of rfkill events from being created Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 32/55] seg6: separate dst_cache for input and output paths in seg6 lwtunnel Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 33/55] Revert "mptcp: add needs_id for netlink appending addr" Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 34/55] drm/scheduler: signal scheduled fence when kill job Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 35/55] netfilter: nft_set_pipapo: do not rely on ZERO_SIZE_PTR Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 36/55] netfilter: nft_ct: fix use-after-free in timeout object destroy Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 37/55] xfrm: clear trailing padding in build_polexpire() Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 38/55] tipc: fix bc_ackers underflow on duplicate GRP_ACK_MSG Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 39/55] wifi: brcmsmac: Fix dma_free_coherent() size Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 40/55] arm64: dts: hisilicon: poplar: Correct PCIe reset GPIO polarity Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 41/55] arm64: dts: hisilicon: hi3798cv200: Add missing dma-ranges Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 42/55] nfc: pn533: allocate rx skb before consuming bytes Greg Kroah-Hartman
2026-04-13 16:01 ` Greg Kroah-Hartman [this message]
2026-04-13 16:01 ` [PATCH 6.1 44/55] EDAC/mc: Fix error path ordering in edac_mc_alloc() Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 45/55] net/tls: fix use-after-free in -EBUSY error path of tls_do_encryption Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 46/55] net: altera-tse: fix skb leak on DMA mapping error in tse_start_xmit() Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 47/55] batman-adv: hold claim backbone gateways by reference Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 48/55] drm/i915/gt: fix refcount underflow in intel_engine_park_heartbeat Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 49/55] net/mlx5: Update the list of the PCI supported devices Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 50/55] mmc: vub300: fix NULL-deref on disconnect Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 51/55] net: qualcomm: qca_uart: report the consumed byte on RX skb allocation failure Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 52/55] net: stmmac: fix integer underflow in chain mode Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 53/55] rxrpc: fix reference count leak in rxrpc_server_keyring() Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 54/55] rxrpc: Fix key/keyring checks in setsockopt(RXRPC_SECURITY_KEY/KEYRING) Greg Kroah-Hartman
2026-04-13 16:01 ` [PATCH 6.1 55/55] Revert "PCI: Enable ACS after configuring IOMMU for OF platforms" Greg Kroah-Hartman
2026-04-13 17:38 ` [PATCH 6.1 00/55] 6.1.169-rc1 review Brett A C Sheffield
2026-04-13 18:51 ` Florian Fainelli
2026-04-14 7:53 ` Jon Hunter
2026-04-14 8:13 ` Pavel Machek
2026-04-14 8:20 ` Pavel Machek
2026-04-14 9:06 ` Peter Schneider
2026-04-14 11:49 ` Ron Economos
2026-04-14 12:30 ` Francesco Dolcini
2026-04-14 17:44 ` Shuah Khan
2026-04-14 17:44 ` Miguel Ojeda
2026-04-14 18:18 ` Mark Brown
2026-04-16 22:09 ` Barry K. Nathan
2026-04-19 14:31 ` Guenter Roeck
2026-04-19 20:04 ` Linus Walleij
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260413155726.440459258@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=bird@lzu.edu.cn \
--cc=caoruide123@gmail.com \
--cc=enjou1224z@gmail.com \
--cc=n05ec@lzu.edu.cn \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=sven@narfation.org \
--cc=sw@simonwunderlich.de \
--cc=tomapufckgml@gmail.com \
--cc=yifanwucs@gmail.com \
--cc=yuantan098@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.