From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail.simonwunderlich.de (mail.simonwunderlich.de [23.88.38.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DB87F352C2B for ; Fri, 15 May 2026 09:55:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=23.88.38.48 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778838961; cv=none; b=GwxIVgreNPOjTLq8fXUYTiZ+0k+7vZGCIxeSrXgLlaPFmz/GnLY7ojfCzKCNe9GgU17P2m6BXCCfXEVqhuXRmIy0YlJkvT9yzsWTkbPGJ5pNrry9Wp1Fct/tAuANnEsBweKFI4Nl+CRB4Fnrhm5xIZl3ec3ewFsSW1yu3urdmAc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778838961; c=relaxed/simple; bh=wigtvzGJ/lh0FZ3FVkv5URTJ90Xv+KSsp+r463JC+WA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=KDwupyivB7uMO/JkWsLJqlfvx00VsYH9GY2DxZnVLcBVY36dwfjosxShLabWuHgAV45XmbCBWG84/+fGgW88l+1LsskQmyw3g+9XeDM6OnkefvxcXzzPafHrsFKKOfoxYBICMs5EbEaqo1FTCvzP3ilwWCZQ3i9tBRH7IwXegpM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=simonwunderlich.de; spf=pass smtp.mailfrom=simonwunderlich.de; dkim=pass (2048-bit key) header.d=simonwunderlich.de header.i=@simonwunderlich.de header.b=TwOMcPsx; arc=none smtp.client-ip=23.88.38.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=simonwunderlich.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=simonwunderlich.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=simonwunderlich.de header.i=@simonwunderlich.de header.b="TwOMcPsx" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=simonwunderlich.de; s=09092022; t=1778838953; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=4O4BCJ5S0lYOlaZTMvXxnnQTPJ7CJ4yo2V0LMRNjzrc=; b=TwOMcPsxUXXbfj0dGf5tW5lwbgklLJyjsvf/ot7X0dymMuetl6vlHy9zXyb9RMP8da/lgd cSNzoyQdFueGqo8OQ8F5t7+gJual0SvG3ZmcYKaqD+eFq7RM9NslR4EKTMk3rHoQ36hF86 09OpBBACA+078Mhk5QeEKEPrUOPeofRCSgjjC7O7Ck2bJeHoG07TQkjVSgyWR5g3kXuZux HVsyPboeyx0TNePRNRDdDmi8sAWNuLle71Y94+95FzH/cXJQJRk3qiyqxJzZoub3a+ajU7 9AEVEZVUda5MkfNf3JW4nCts+TKLya6WL91fkPDpk8a9NhsEUtvUzZnA3aWtLQ== From: Simon Wunderlich To: netdev@vger.kernel.org Cc: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , b.a.t.m.a.n@lists.open-mesh.org, Sven Eckelmann , stable@kernel.org, Simon Wunderlich Subject: [PATCH net 08/14] batman-adv: tt: prevent TVLV entry number overflow Date: Fri, 15 May 2026 11:55:33 +0200 Message-ID: <20260515095540.325586-9-sw@simonwunderlich.de> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260515095540.325586-1-sw@simonwunderlich.de> References: <20260515095540.325586-1-sw@simonwunderlich.de> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Sven Eckelmann The helpers to prepare the buffers for the local and global TT based replies are trying to sum up all TT entries which can be found for each VLAN. In theory, this sum can be too big for an u16 and therefore overflow. A too small buffer would then be allocated for the TVLV. The too small buffer will be handled gracefully by batadv_tt_tvlv_generate() and is not causing a buffer overflow - just a truncated reply. But this overflow shouldn't have happened in the first and the too small buffer should never have been allocated when an overflow was detected. Cc: stable@kernel.org Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific") Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich --- net/batman-adv/translation-table.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c index 2259b241e0b56..9f6e67771ffa8 100644 --- a/net/batman-adv/translation-table.c +++ b/net/batman-adv/translation-table.c @@ -804,11 +804,18 @@ batadv_tt_prepare_tvlv_global_data(struct batadv_orig_node *orig_node, u16 total_entries = 0; u8 *tt_change_ptr; int vlan_entries; + u16 sum_entries; spin_lock_bh(&orig_node->vlan_list_lock); hlist_for_each_entry(vlan, &orig_node->vlan_list, list) { vlan_entries = atomic_read(&vlan->tt.num_entries); - total_entries += vlan_entries; + + if (check_add_overflow(vlan_entries, total_entries, &sum_entries)) { + *tt_len = 0; + goto out; + } + + total_entries = sum_entries; num_vlan++; } @@ -893,15 +900,22 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *bat_priv, struct batadv_meshif_vlan *vlan; size_t change_offset; u16 num_vlan = 0; - u16 vlan_entries = 0; u16 total_entries = 0; u16 tvlv_len; u8 *tt_change_ptr; + int vlan_entries; + u16 sum_entries; spin_lock_bh(&bat_priv->meshif_vlan_list_lock); hlist_for_each_entry(vlan, &bat_priv->meshif_vlan_list, list) { vlan_entries = atomic_read(&vlan->tt.num_entries); - total_entries += vlan_entries; + + if (check_add_overflow(vlan_entries, total_entries, &sum_entries)) { + tvlv_len = 0; + goto out; + } + + total_entries = sum_entries; num_vlan++; } -- 2.47.3