From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EBEA83E3156 for ; Thu, 28 May 2026 11:57:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779969459; cv=none; b=m+XpfMIsuXfnm30/klAVkWolvL5NoCYFSxE39NpQcElekiq9kRt5bbvSxEbN9TKm/pQm+GYv97Ly9eX3/S7an+o6ur4E3+eXMJdcv4W3KccXzynMGJ9v+HWUwFLMub982/lnYpS5sXybKwTv+L4KJmaozHZcX637deRfRROMNFE= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779969459; c=relaxed/simple; bh=uSPvkvSvzOUSjAd85awIE3gQ5u1DQv+tWfXiOq2lMco=; h=Subject:To:Cc:From:Date:Message-ID:MIME-Version:Content-Type; b=lueklLebqAF+UBDN8tMUvEnLKachFuo9g5B4xkXsFUh2ufy+DsQ+bW0u9qAnnrh+cclddoOcYIq44HBF2YeDU3LWP+oRe8txfhVLi4Xjrsd01GTj/YCUnizWVxZRmVv5Uc5SNeQ81V/fLVv54tXut4K7FMl916XKqaeaQEhSOnM= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=rYfsMlms; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="rYfsMlms" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 1D2411F000E9; Thu, 28 May 2026 11:57:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linuxfoundation.org; s=korg; t=1779969457; bh=jTtP8a1+O13faN+7JpoSe7REoEeSq1gMxwdhw+BIrk8=; h=Subject:To:Cc:From:Date; b=rYfsMlmseF721F1AhkJPXQZlrtgAEih9NyPifZBmHTqycrdiI9qbZVnfNTr0/L0pk 7Pd7rvjnpw48YUF9hU+31rfFjVWOnqlJs4hEKINzsb0TCAHho/0QWP63JSAl1Qyrjt DqHpna3YdyQ65lzg+ETfdQjCarDLN+yQKX8qz8rk= Subject: FAILED: patch "[PATCH] batman-adv: tt: reject oversized local TVLV buffers" failed to apply to 5.10-stable tree To: sven@narfation.org Cc: From: Date: Thu, 28 May 2026 13:56:29 +0200 Message-ID: <2026052829-condition-cogwheel-4278@gregkh> Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit The patch below does not apply to the 5.10-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to . To reproduce the conflict and resubmit, you may use the following commands: git fetch https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/ linux-5.10.y git checkout FETCH_HEAD git cherry-pick -x 1e9fab756f8395096d5bba7be0c373c4c8f5d165 # git commit -s git send-email --to '' --in-reply-to '2026052829-condition-cogwheel-4278@gregkh' --subject-prefix 'PATCH 5.10.y' HEAD^.. Possible dependencies: thanks, greg k-h ------------------ original commit in Linus's tree ------------------ >From 1e9fab756f8395096d5bba7be0c373c4c8f5d165 Mon Sep 17 00:00:00 2001 From: Sven Eckelmann Date: Sat, 2 May 2026 19:08:37 +0200 Subject: [PATCH] batman-adv: tt: reject oversized local TVLV buffers The commit 3a359bf5c61d ("batman-adv: reject oversized global TT response buffers") added a check to ensure that a global return buffer size can be stored in an u16. The same buffer handling also exists for the local data buffer but was not touched. A similar check should be also be in place for the local TVLV buffer. It doesn't have the similar attack surface because it is only generated from locally discovered MAC addresses but the dynamic nature could still cause temporarily to large buffers. Cc: stable@kernel.org Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific") Signed-off-by: Sven Eckelmann diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c index 05cddcf994f6..06548dae1039 100644 --- a/net/batman-adv/translation-table.c +++ b/net/batman-adv/translation-table.c @@ -877,12 +877,12 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *bat_priv, { struct batadv_tvlv_tt_vlan_data *tt_vlan; struct batadv_meshif_vlan *vlan; + size_t change_offset; u16 num_vlan = 0; u16 vlan_entries = 0; u16 total_entries = 0; u16 tvlv_len; u8 *tt_change_ptr; - int change_offset; spin_lock_bh(&bat_priv->meshif_vlan_list_lock); hlist_for_each_entry(vlan, &bat_priv->meshif_vlan_list, list) { @@ -900,8 +900,10 @@ batadv_tt_prepare_tvlv_local_data(struct batadv_priv *bat_priv, if (*tt_len < 0) *tt_len = batadv_tt_len(total_entries); - tvlv_len = *tt_len; - tvlv_len += change_offset; + if (check_add_overflow(*tt_len, change_offset, &tvlv_len)) { + tvlv_len = 0; + goto out; + } *tt_data = kmalloc(tvlv_len, GFP_ATOMIC); if (!*tt_data) {