From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from e3i103.smtp2go.com (e3i103.smtp2go.com [158.120.84.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B84C4183CA6 for ; Wed, 29 Jan 2025 08:35:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=158.120.84.103 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738139757; cv=none; b=l+lC3k+VahlTJj9iODC20T7SlVYErK+qqgOneDcXNjwux0c/xYUkjl1xTuw845V0h7CPZH2UyMD6iwVjpWnxzGthUYbINM7vhiADXbONBSDMQPbpjHdEPxWrsEz9SqvhGOnSyKlvtT8soB5LZyIylHUUOgk8BJvTjZ1mYd6uKfc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1738139757; c=relaxed/simple; bh=yz31b2ue5JCbQXayYcj8IbxD8JP42W1SCJcAIEHyNog=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=DXBXEEY1qFCczYLkLSGWiX+2BLLpp3+fv2Q78ettSsMxZ4tdbEUCXWLEFcluW0aGHU/PMVwxSQ4qck4UXZdVA9tEGCMMm54iP6lO4FgG0BXm+aDqvpK742LwrrLdNXSEpyQmQTvrB+0xjHEgvh2QGz8A796gjGja8bsTC2cgTtM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=triplefau.lt; spf=pass smtp.mailfrom=em510616.triplefau.lt; dkim=pass (2048-bit key) header.d=smtpservice.net header.i=@smtpservice.net header.b=uIgjdmfN; dkim=pass (2048-bit key) header.d=triplefau.lt header.i=@triplefau.lt header.b=dXc+KUN+; arc=none smtp.client-ip=158.120.84.103 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=triplefau.lt Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=em510616.triplefau.lt Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=smtpservice.net header.i=@smtpservice.net header.b="uIgjdmfN"; dkim=pass (2048-bit key) header.d=triplefau.lt header.i=@triplefau.lt header.b="dXc+KUN+" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=smtpservice.net; i=@smtpservice.net; q=dns/txt; s=a1-4; t=1738139752; h=feedback-id : x-smtpcorp-track : date : message-id : to : subject : from : reply-to : sender : list-unsubscribe : list-unsubscribe-post; bh=DY7ub80gYd9tjBAAYJLj+o/B1grhiHlqArNUfs+UkGE=; b=uIgjdmfNwhCqt1SpEDwoD3NNvO/HP19+IPgNsOYPMuAnHBoNYyyKrGsbpxj2mP+vAvar4 cZ4HNBFEtup1ymY5QUiMuY/GVonTLQiOB9kkMuSSgIdiO+IISGWsJcg80Y+kQ952IcbyKqT iG6eoNx+v+vDE3oOkikyoa+fevLK2tQ7mJ68Lq8uwnxyDQJt/pyYqwWAeSh//nhWq9gS/57 Hk8ahc7r/HOCozyOSf3PeDSwLjcG/MTLnNd7uolwT8DOvne15NhtF7KNUggUuSIbfJbqh+c CVoOmM+7FHcuXRJkp5ugD2S/sDhtWRSGs7G0aYmBUrQL/yPRUaEA/2qzdzZg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=triplefau.lt; i=@triplefau.lt; q=dns/txt; s=s510616; t=1738139752; h=from : subject : to : message-id : date; bh=DY7ub80gYd9tjBAAYJLj+o/B1grhiHlqArNUfs+UkGE=; b=dXc+KUN+PcM/pxdGkCt41Rfthm9deCIfDmP6s0tvw6gnBzfnpBSK6ftdjVohrNrRoxsyL 5jzPsggu5krPUJPnAS19MffwS2RCuB10JWP5A6aBeBDeiEcC2bfe2Vc/+xOctm+0yU3zxyv aBc1GH7+60hlAtslLxPI1hT7kNc9xZX43w2JRgvI+Wnsb6hrfRrmxH6olmV8qR0tSLDfBfM Tcg+YgU/kUUWajV7RilD11LdpN/MydwbkhzaS4moOv3W/Z6YBvWzL0xymoKQfY0/kbuhxX6 AuxSG8h0kkjN9dY2ZRGQ5Yjtl1TnZnfECSjwxKt7lZb4NBW2QhD5wlmRpiSQ== Received: from [10.12.239.196] (helo=localhost) by smtpcorp.com with esmtpsa (TLS1.3:ECDHE_SECP256R1__RSA_PSS_RSAE_SHA256__AES_256_GCM:256) (Exim 4.97.1-S2G) (envelope-from ) id 1td3Y2-FnQW0hPpfXA-ln41; Wed, 29 Jan 2025 08:35:46 +0000 Date: Wed, 29 Jan 2025 09:32:02 +0100 From: Remi Pommarel To: Sven Eckelmann Cc: b.a.t.m.a.n@lists.open-mesh.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Marek Lindner , Simon Wunderlich , Erick Archer , Kees Cook Subject: Re: [PATCH] batman-adv: Fix incorrect offset in batadv_tt_tvlv_ogm_handler_v1() Message-ID: References: <2593315.VLH7GnMWUR@sven-l14> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2593315.VLH7GnMWUR@sven-l14> X-Report-Abuse: Please forward a copy of this message, including all headers, to Feedback-ID: 510616m:510616apGKSTK:510616skYQn4pg0B X-smtpcorp-track: Tq4BNXb59oXV.ruznBfnFhvgv.15HIdA0aeJM On Tue, Jan 28, 2025 at 11:18:06PM +0100, Sven Eckelmann wrote: > On Tuesday, 28 January 2025 16:11:06 GMT+1 Remi Pommarel wrote: > > Since commit 4436df478860 ("batman-adv: Add flex array to struct > > batadv_tvlv_tt_data"), the introduction of batadv_tvlv_tt_data's flex > > array member in batadv_tt_tvlv_ogm_handler_v1() put tt_changes at > > invalid offset. Those TT changes are supposed to be filled from the end > > of batadv_tvlv_tt_data structure (including vlan_data flexible array), > > but only the flex array size is taken into account missing completely > > the size of the fixed part of the structure itself. > > > > Fix the tt_change offset computation by using struct_size() instead of > > flex_array_size() so both flex array member and its container structure > > sizes are taken into account. > > > > Fixes: 4436df478860 ("batman-adv: Add flex array to struct batadv_tvlv_tt_data") > > Signed-off-by: Remi Pommarel > > Thanks for the patch. I just wanted to dump my notes here (because it is > getting a little late). > > > Original calculation was: > > 1. tvlv_value_len -= 4 [sizeof(*tt_data)] > 2. check if tvlv_value_len contains at least num_vlan * 8 bytes [sizeof(*tt_vlan)] > 3. tt_vlan = vlan section at offset 4 [sizeof(*tt_data)] > 4. tt_change = change section at offset offset 4 [sizeof(*tt_data)] + num_vlan * 8 bytes [sizeof(*tt_vlan)] > 5. tvlv_value_len was reduced by num_vlan * 8 bytes [sizeof(*tt_vlan)] > 6. num_entries was calculated using tvlv_value_len / 12 [sizeof(batadv_tvlv_tt_change)] > > result: > > * tt_vlan = tt_data + 4 > * tt_change = tt_data + 4 + num_vlan * 8 > * num_entries = (tvlv_value_len - (4 + num_vlan * 8)) / 12 > > > After Erick's change > > 1. tvlv_value_len -= 4 [sizeof(*tt_data)] > 2. calculation of the flexible (vlan) part as num_vlan * 8 [sizeof(tt_data->vlan_data)] > 3. check if tvlv_value_len contains at the flexible (vlan) part > 4. tt_change = change section at offset num_vlan * 8 bytes [sizeof(*tt_vlan)] > (which is wrong by 4 bytes) > 5. tvlv_value_len was reduced by num_vlan * 8 bytes [sizeof(*tt_vlan)] > 6. num_entries was calculated using tvlv_value_len / 12 [sizeof(batadv_tvlv_tt_change)] > 7. "tt_vlan" is implicitly used from offset 4 [tt_data->ttvn] > > result: > > * tt_vlan = tt_data + 4 > * tt_change = tt_data + num_vlan * 8 > * num_entries = (tvlv_value_len - (4 + num_vlan * 8)) / 12 > > > The broken part of the change was basically following: > > - tt_vlan = (struct batadv_tvlv_tt_vlan_data *)(tt_data + 1); > - tt_change = (struct batadv_tvlv_tt_change *)(tt_vlan + num_vlan); > - tvlv_value_len -= sizeof(*tt_vlan) * num_vlan; > + tt_change = (struct batadv_tvlv_tt_change *)((void *)tt_data > + + flex_size); > + tvlv_value_len -= flex_size; > > > if the line > > + tt_change = (struct batadv_tvlv_tt_change *)((void *)tt_data > + + flex_size); > > would have been replaced with > > + tt_change = (struct batadv_tvlv_tt_change *)((void *)tt_data->vlan_data > + + flex_size); > > then it should also have worked. Erick's initial patch was almost doing that but Kees emitted concern that this could bother the compiler bound checker and suggest the current flawed logic [0] (hence him in CC). I wasn't sure the (void *) cast would prevent the bound checker to complain here, so I tried to also follow the "addressing from the base pointer" strategy Kees mentioned. On a side note, I am all about hardening and memory safety stuff but if that means impacting readability and spending more time trying to please the tool than thinking about the correctness of the code change, that's where we end up converting a perfectly fine code into a logically flawed one. [0]: https://lore.kernel.org/lkml/202404291030.F760C26@keescook/ -- Remi