From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 44A141F37BE; Tue, 17 Dec 2024 17:10:44 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734455444; cv=none; b=QikEwBRkv+Fkrncs3aM+YaPOz9gxHwLSxgZmXuKrHNYyib1dCQK0gwBjoKDIVbLoO573oMmt0UdOGQbaefxLrK26AJBrwVGWKvQKPYoHdx7XGcsLpBk5gqMdnhPAUdSuQMdq1O9WOwdo8dQDruqpOgUOjj78/TmzO/634VksdV0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734455444; c=relaxed/simple; bh=Q+XDIX9YmBUIBZQYAG8vX92VUnNQiDYT2UXHnRUybFA=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=FtG7KWquEoiDcRsdOtqnfaQPGg/IsOJYaU/6c+6QUqt1lhfioReJd4WsobC2heN7KL813F/Auo/umlRpXRT4qRkcOY91u5XlDNJ6oZ4u9PsNyD5t08PzDrzO3+4bpKpGztWqy1BJga+ZIH5vu+blB3/DTv6GiuSi1JLSM7Q+2ns= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=wDhm3xvk; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="wDhm3xvk" Received: by smtp.kernel.org (Postfix) with ESMTPSA id BD701C4CED3; Tue, 17 Dec 2024 17:10:43 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1734455444; bh=Q+XDIX9YmBUIBZQYAG8vX92VUnNQiDYT2UXHnRUybFA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wDhm3xvkmBGMX3j1EcnYRWdCmttwBcPSEGaGOrMvw3z/E283z3zvDMEnTRHDPr+i7 at86H1rIEfvRIAyrWmVE0DEapoz9hQzYxQR3qVZJvUak29J0ffYFag88oYs/qNIwuC quH+UY13XUuy+2eGcA/xnZb2P+JLhf5BTK5wGr6U= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Remi Pommarel , Sven Eckelmann , Simon Wunderlich , Sasha Levin Subject: [PATCH 5.10 13/43] batman-adv: Do not send uninitialized TT changes Date: Tue, 17 Dec 2024 18:07:04 +0100 Message-ID: <20241217170520.992984116@linuxfoundation.org> X-Mailer: git-send-email 2.47.1 In-Reply-To: <20241217170520.459491270@linuxfoundation.org> References: <20241217170520.459491270@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 5.10-stable review patch. If anyone has any objections, please let me know. ------------------ From: Remi Pommarel [ Upstream commit f2f7358c3890e7366cbcb7512b4bc8b4394b2d61 ] The number of TT changes can be less than initially expected in batadv_tt_tvlv_container_update() (changes can be removed by batadv_tt_local_event() in ADD+DEL sequence between reading tt_diff_entries_num and actually iterating the change list under lock). Thus tt_diff_len could be bigger than the actual changes size that need to be sent. Because batadv_send_my_tt_response sends the whole packet, uninitialized data can be interpreted as TT changes on other nodes leading to weird TT global entries on those nodes such as: * 00:00:00:00:00:00 -1 [....] ( 0) 88:12:4e:ad:7e:ba (179) (0x45845380) * 00:00:00:00:78:79 4092 [.W..] ( 0) 88:12:4e:ad:7e:3c (145) (0x8ebadb8b) All of the above also applies to OGM tvlv container buffer's tvlv_len. Remove the extra allocated space to avoid sending uninitialized TT changes in batadv_send_my_tt_response() and batadv_v_ogm_send_softif(). Fixes: e1bf0c14096f ("batman-adv: tvlv - convert tt data sent within OGMs") Signed-off-by: Remi Pommarel Signed-off-by: Sven Eckelmann Signed-off-by: Simon Wunderlich Signed-off-by: Sasha Levin --- net/batman-adv/translation-table.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c index f5019f698105..1eb3562259be 100644 --- a/net/batman-adv/translation-table.c +++ b/net/batman-adv/translation-table.c @@ -995,6 +995,7 @@ static void batadv_tt_tvlv_container_update(struct batadv_priv *bat_priv) int tt_diff_len, tt_change_len = 0; int tt_diff_entries_num = 0; int tt_diff_entries_count = 0; + size_t tt_extra_len = 0; u16 tvlv_len; tt_diff_entries_num = atomic_read(&bat_priv->tt.local_changes); @@ -1032,6 +1033,9 @@ static void batadv_tt_tvlv_container_update(struct batadv_priv *bat_priv) } spin_unlock_bh(&bat_priv->tt.changes_list_lock); + tt_extra_len = batadv_tt_len(tt_diff_entries_num - + tt_diff_entries_count); + /* Keep the buffer for possible tt_request */ spin_lock_bh(&bat_priv->tt.last_changeset_lock); kfree(bat_priv->tt.last_changeset); @@ -1040,6 +1044,7 @@ static void batadv_tt_tvlv_container_update(struct batadv_priv *bat_priv) tt_change_len = batadv_tt_len(tt_diff_entries_count); /* check whether this new OGM has no changes due to size problems */ if (tt_diff_entries_count > 0) { + tt_diff_len -= tt_extra_len; /* if kmalloc() fails we will reply with the full table * instead of providing the diff */ @@ -1052,6 +1057,8 @@ static void batadv_tt_tvlv_container_update(struct batadv_priv *bat_priv) } spin_unlock_bh(&bat_priv->tt.last_changeset_lock); + /* Remove extra packet space for OGM */ + tvlv_len -= tt_extra_len; container_register: batadv_tvlv_container_register(bat_priv, BATADV_TVLV_TT, 1, tt_data, tvlv_len); -- 2.39.5