From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail.simonwunderlich.de (mail.simonwunderlich.de [23.88.38.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5D4243D9049 for ; Wed, 20 May 2026 11:54:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=23.88.38.48 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779278089; cv=none; b=Pf+n/NPGHLdv870RzmQIYGELh+cwjKDmeZMXL4hc7wYV9/J63s9S6yqaVa3DFP9HHKKLv4fK3pZ6zFR8oeA3htrydOfC2kpfQGQIHM3yQFgjF8nrbQ/u2Ztv35LL5ITj8spGXIURGQ0rvhkVcyGRb0l1FqwktoDemLdEBVa73Xo= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779278089; c=relaxed/simple; bh=lMUwfaXzN9guIyHVO2P4seMwOgHlr/JY6mmY3wDSfVU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=T9KI1FiAkCUTFAvugd3ZZ9HSf9i54NtuYLpMLS8L4WD8mlyIbeLjjGpNeZuwTm/q65PV7zTo3Za8VPoKcbRFZdfgr8aqOoMOM8wGXdDwV09avlBnIazWzZ169WgjO1Voxt48drHOdZ7PK9xCwAoQ3krDAjaHu+cF/z89M1/DZ5k= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=simonwunderlich.de; spf=pass smtp.mailfrom=simonwunderlich.de; dkim=pass (2048-bit key) header.d=simonwunderlich.de header.i=@simonwunderlich.de header.b=oTduTm6H; arc=none smtp.client-ip=23.88.38.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=simonwunderlich.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=simonwunderlich.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=simonwunderlich.de header.i=@simonwunderlich.de header.b="oTduTm6H" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=simonwunderlich.de; s=09092022; t=1779278080; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kBVpzL3gTEZN4vwshQgSmyTaf4MxHfBg/Mn1OfHiuN4=; b=oTduTm6H2rHM9C4+OLp5M2x2/Q21EZfAtZi1FaDJNCIQHvVkmzdXnQTpsOoZp66Ul8f/Fs RwGaXYFG22/k5cjfdTGhnUBqCHhrtBMxEH61BfGMRgKEZL49l1ZOms6TtUc3un8HftaFnC cmV2L0oxMjFWOpqYSzCxRAsOUVkZInU2jyRaLOstdeBofLvuPj2fDJ6PyWoubaYoiHWvgk yHyVq8Peputs5VJT25EXPS1bKAnbrC4f5TtvrNv61Y65P4S/rzvBix/JyNuBWPi+68R9ux Un/9AQedxpzWHASpAzSpiCVpBn11aZLQe5sKHGmI2N6wRa6KuML+232Ow8bFgQ== From: Simon Wunderlich To: netdev@vger.kernel.org Cc: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , b.a.t.m.a.n@lists.open-mesh.org, Sven Eckelmann , stable@kernel.org, Yuan Tan , Yifan Wu , Juefei Pu , Xin Liu , Simon Wunderlich Subject: [PATCH net 04/11] batman-adv: tvlv: reject oversized TVLV packets Date: Wed, 20 May 2026 13:54:15 +0200 Message-ID: <20260520115422.53552-5-sw@simonwunderlich.de> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260520115422.53552-1-sw@simonwunderlich.de> References: <20260520115422.53552-1-sw@simonwunderlich.de> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Sven Eckelmann batadv_tvlv_container_ogm_append() builds a TVLV packet section from the tvlv.container_list. The total size of this section is computed by batadv_tvlv_container_list_size(), which sums the sizes of all registered containers. The return type and accumulator in batadv_tvlv_container_list_size() were u16. If the accumulated size exceeds U16_MAX, the value wraps around, causing the subsequent allocation in batadv_tvlv_container_ogm_append() to be undersized. The memcpy-style copy that follows would then write beyond the end of the allocated buffer, corrupting kernel memory. Fix this by widening the return type of batadv_tvlv_container_list_size() to size_t. In batadv_tvlv_container_ogm_append(), check the computed length against U16_MAX before proceeding, and bail out as if the allocation had failed when the limit is exceeded. Cc: stable@kernel.org Fixes: ef26157747d4 ("batman-adv: tvlv - basic infrastructure") Reported-by: Yuan Tan Reported-by: Yifan Wu Reported-by: Juefei Pu Reported-by: Xin Liu Reviewed-by: Yuan Tan Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich --- net/batman-adv/tvlv.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/net/batman-adv/tvlv.c b/net/batman-adv/tvlv.c index 46ed61dbf0879..cc6ac580c6208 100644 --- a/net/batman-adv/tvlv.c +++ b/net/batman-adv/tvlv.c @@ -13,6 +13,7 @@ #include #include #include +#include #include #include #include @@ -160,10 +161,10 @@ batadv_tvlv_container_get(struct batadv_priv *bat_priv, u8 type, u8 version) * * Return: size of all currently registered tvlv containers in bytes. */ -static u16 batadv_tvlv_container_list_size(struct batadv_priv *bat_priv) +static size_t batadv_tvlv_container_list_size(struct batadv_priv *bat_priv) { struct batadv_tvlv_container *tvlv; - u16 tvlv_len = 0; + size_t tvlv_len = 0; lockdep_assert_held(&bat_priv->tvlv.container_list_lock); @@ -316,13 +317,17 @@ int batadv_tvlv_container_ogm_append(struct batadv_priv *bat_priv, { struct batadv_tvlv_container *tvlv; struct batadv_tvlv_hdr *tvlv_hdr; - u16 tvlv_value_len; + size_t tvlv_value_len; void *tvlv_value; int tvlv_len_ret; bool ret; spin_lock_bh(&bat_priv->tvlv.container_list_lock); tvlv_value_len = batadv_tvlv_container_list_size(bat_priv); + if (tvlv_value_len > U16_MAX) { + tvlv_len_ret = -E2BIG; + goto end; + } ret = batadv_tvlv_realloc_packet_buff(packet_buff, packet_buff_len, packet_min_len, tvlv_value_len); -- 2.47.3