From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Stanislav Fort <disclosure@aisle.com>,
Stanislav Fort <stanislav.fort@aisle.com>,
Sven Eckelmann <sven@narfation.org>,
Simon Wunderlich <sw@simonwunderlich.de>
Subject: [PATCH 5.10 25/52] batman-adv: fix OOB read/write in network-coding decode
Date: Sun, 7 Sep 2025 21:57:45 +0200 [thread overview]
Message-ID: <20250907195602.725469429@linuxfoundation.org> (raw)
In-Reply-To: <20250907195601.957051083@linuxfoundation.org>
5.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanislav Fort <stanislav.fort@aisle.com>
commit d77b6ff0ce35a6d0b0b7b9581bc3f76d041d4087 upstream.
batadv_nc_skb_decode_packet() trusts coded_len and checks only against
skb->len. XOR starts at sizeof(struct batadv_unicast_packet), reducing
payload headroom, and the source skb length is not verified, allowing an
out-of-bounds read and a small out-of-bounds write.
Validate that coded_len fits within the payload area of both destination
and source sk_buffs before XORing.
Fixes: 2df5278b0267 ("batman-adv: network coding - receive coded packets and decode them")
Cc: stable@vger.kernel.org
Reported-by: Stanislav Fort <disclosure@aisle.com>
Signed-off-by: Stanislav Fort <stanislav.fort@aisle.com>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/batman-adv/network-coding.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/net/batman-adv/network-coding.c
+++ b/net/batman-adv/network-coding.c
@@ -1700,7 +1700,12 @@ batadv_nc_skb_decode_packet(struct batad
coding_len = ntohs(coded_packet_tmp.coded_len);
- if (coding_len > skb->len)
+ /* ensure dst buffer is large enough (payload only) */
+ if (coding_len + h_size > skb->len)
+ return NULL;
+
+ /* ensure src buffer is large enough (payload only) */
+ if (coding_len + h_size > nc_packet->skb->len)
return NULL;
/* Here the magic is reversed:
next prev parent reply other threads:[~2025-09-07 20:07 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-09-07 19:57 [PATCH 5.10 00/52] 5.10.243-rc1 review Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 01/52] drm/amd/display: Dont warn when missing DCE encoder caps Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 02/52] tee: fix NULL pointer dereference in tee_shm_put Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 03/52] arm64: dts: rockchip: Add vcc-supply to SPI flash on rk3399-pinebook-pro Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 04/52] wifi: cfg80211: fix use-after-free in cmp_bss() Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 05/52] netfilter: conntrack: helper: Replace -EEXIST by -EBUSY Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 06/52] Bluetooth: Fix use-after-free in l2cap_sock_cleanup_listen() Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 07/52] xirc2ps_cs: fix register access when enabling FullDuplex Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 08/52] mISDN: Fix memory leak in dsp_hwec_enable() Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 09/52] icmp: fix icmp_ndo_send address translation for reply direction Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 10/52] i40e: Fix potential invalid access when MAC list is empty Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 11/52] net: ethernet: mtk_eth_soc: fix tx vlan tag for llc packets Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 12/52] wifi: cw1200: cap SSID length in cw1200_do_join() Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 13/52] wifi: libertas: cap SSID len in lbs_associate() Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 14/52] net: thunder_bgx: add a missing of_node_put Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 15/52] net: thunder_bgx: decrement cleanup index before use Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 16/52] ipv4: Fix NULL vs error pointer check in inet_blackhole_dev_init() Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 17/52] ax25: properly unshare skbs in ax25_kiss_rcv() Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 18/52] net: atm: fix memory leak in atm_register_sysfs when device_register fail Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 19/52] ppp: fix memory leak in pad_compress_skb Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 20/52] ALSA: usb-audio: Add mute TLV for playback volumes on some devices Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 21/52] pcmcia: Fix a NULL pointer dereference in __iodyn_find_io_region() Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 22/52] wifi: mwifiex: Initialize the chan_stats array to zero Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 23/52] drm/amdgpu: drop hw access in non-DC audio fini Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 24/52] scsi: lpfc: Fix buffer free/clear order in deferred receive path Greg Kroah-Hartman
2025-09-07 19:57 ` Greg Kroah-Hartman [this message]
2025-09-07 19:57 ` [PATCH 5.10 26/52] e1000e: fix heap overflow in e1000_set_eeprom Greg Kroah-Hartman
2025-09-09 19:43 ` Ben Hutchings
2025-09-07 19:57 ` [PATCH 5.10 27/52] mm/khugepaged: fix ->anon_vma race Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 28/52] mm/slub: avoid accessing metadata when pointer is invalid in object_err() Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 29/52] cpufreq/sched: Explicitly synchronize limits_changed flag handling Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 30/52] KVM: x86: Take irqfds.lock when adding/deleting IRQ bypass producer Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 31/52] iio: chemical: pms7003: use aligned_s64 for timestamp Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 32/52] iio: light: opt3001: fix deadlock due to concurrent flag access Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 33/52] gpio: pca953x: fix IRQ storm on system wake up Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 34/52] ALSA: hda/realtek - Add new HP ZBook laptop with micmute led fixup Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 35/52] dmaengine: mediatek: Fix a possible deadlock error in mtk_cqdma_tx_status() Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 36/52] net: dsa: microchip: update tag_ksz masks for KSZ9477 family Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 37/52] net: dsa: microchip: linearize skb for tail-tagging switches Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 38/52] vmxnet3: update MTU after device quiesce Greg Kroah-Hartman
2025-09-07 19:57 ` [PATCH 5.10 39/52] arm64: dts: marvell: uDPU: define pinctrl state for alarm LEDs Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 5.10 40/52] randstruct: gcc-plugin: Remove bogus void member Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 5.10 41/52] randstruct: gcc-plugin: Fix attribute addition Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 5.10 42/52] net: phy: microchip: implement generic .handle_interrupt() callback Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 5.10 43/52] net: phy: microchip: remove the use of .ack_interrupt() Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 5.10 44/52] net: phy: microchip: force IRQ polling mode for lan88xx Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 5.10 45/52] ALSA: hda/hdmi: Add pin fix for another HP EliteDesk 800 G4 model Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 5.10 46/52] pcmcia: Add error handling for add_interval() in do_validate_mem() Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 5.10 47/52] spi: spi-fsl-lpspi: Fix transmissions when using CONT Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 5.10 48/52] spi: spi-fsl-lpspi: Set correct chip-select polarity bit Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 5.10 49/52] spi: spi-fsl-lpspi: Reset FIFO and disable module on transfer abort Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 5.10 50/52] clk: qcom: gdsc: Set retain_ff before moving to HW CTRL Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 5.10 51/52] cifs: fix integer overflow in match_server() Greg Kroah-Hartman
2025-09-07 19:58 ` [PATCH 5.10 52/52] dmaengine: mediatek: Fix a flag reuse error in mtk_cqdma_tx_status() Greg Kroah-Hartman
2025-09-08 2:05 ` [PATCH 5.10 00/52] 5.10.243-rc1 review Florian Fainelli
2025-09-08 9:27 ` Brett A C Sheffield
2025-09-08 15:01 ` Jon Hunter
2025-09-08 18:14 ` Naresh Kamboju
2025-09-09 14:20 ` Naresh Kamboju
2025-09-09 1:45 ` Dominique Martinet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250907195602.725469429@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=disclosure@aisle.com \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=stanislav.fort@aisle.com \
--cc=sven@narfation.org \
--cc=sw@simonwunderlich.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).