Patch "batman-adv: Do not send uninitialized TT changes" has been added to the 5.15-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    batman-adv: Do not send uninitialized TT changes

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     batman-adv-do-not-send-uninitialized-tt-changes.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 21f348a4dab71b5c28c621ae2f85a36c7c38e517
Author: Remi Pommarel <repk@xxxxxxxxxxxx>
Date:   Fri Nov 22 16:52:48 2024 +0100

    batman-adv: Do not send uninitialized TT changes
    
    [ Upstream commit f2f7358c3890e7366cbcb7512b4bc8b4394b2d61 ]
    
    The number of TT changes can be less than initially expected in
    batadv_tt_tvlv_container_update() (changes can be removed by
    batadv_tt_local_event() in ADD+DEL sequence between reading
    tt_diff_entries_num and actually iterating the change list under lock).
    
    Thus tt_diff_len could be bigger than the actual changes size that need
    to be sent. Because batadv_send_my_tt_response sends the whole
    packet, uninitialized data can be interpreted as TT changes on other
    nodes leading to weird TT global entries on those nodes such as:
    
     * 00:00:00:00:00:00   -1 [....] (  0) 88:12:4e:ad:7e:ba (179) (0x45845380)
     * 00:00:00:00:78:79 4092 [.W..] (  0) 88:12:4e:ad:7e:3c (145) (0x8ebadb8b)
    
    All of the above also applies to OGM tvlv container buffer's tvlv_len.
    
    Remove the extra allocated space to avoid sending uninitialized TT
    changes in batadv_send_my_tt_response() and batadv_v_ogm_send_softif().
    
    Fixes: e1bf0c14096f ("batman-adv: tvlv - convert tt data sent within OGMs")
    Signed-off-by: Remi Pommarel <repk@xxxxxxxxxxxx>
    Signed-off-by: Sven Eckelmann <sven@xxxxxxxxxxxxx>
    Signed-off-by: Simon Wunderlich <sw@xxxxxxxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
index 660a5594a647..ec30c1d36160 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -990,6 +990,7 @@ static void batadv_tt_tvlv_container_update(struct batadv_priv *bat_priv)
 	int tt_diff_len, tt_change_len = 0;
 	int tt_diff_entries_num = 0;
 	int tt_diff_entries_count = 0;
+	size_t tt_extra_len = 0;
 	u16 tvlv_len;
 
 	tt_diff_entries_num = atomic_read(&bat_priv->tt.local_changes);
@@ -1027,6 +1028,9 @@ static void batadv_tt_tvlv_container_update(struct batadv_priv *bat_priv)
 	}
 	spin_unlock_bh(&bat_priv->tt.changes_list_lock);
 
+	tt_extra_len = batadv_tt_len(tt_diff_entries_num -
+				     tt_diff_entries_count);
+
 	/* Keep the buffer for possible tt_request */
 	spin_lock_bh(&bat_priv->tt.last_changeset_lock);
 	kfree(bat_priv->tt.last_changeset);
@@ -1035,6 +1039,7 @@ static void batadv_tt_tvlv_container_update(struct batadv_priv *bat_priv)
 	tt_change_len = batadv_tt_len(tt_diff_entries_count);
 	/* check whether this new OGM has no changes due to size problems */
 	if (tt_diff_entries_count > 0) {
+		tt_diff_len -= tt_extra_len;
 		/* if kmalloc() fails we will reply with the full table
 		 * instead of providing the diff
 		 */
@@ -1047,6 +1052,8 @@ static void batadv_tt_tvlv_container_update(struct batadv_priv *bat_priv)
 	}
 	spin_unlock_bh(&bat_priv->tt.last_changeset_lock);
 
+	/* Remove extra packet space for OGM */
+	tvlv_len -= tt_extra_len;
 container_register:
 	batadv_tvlv_container_register(bat_priv, BATADV_TVLV_TT, 1, tt_data,
 				       tvlv_len);




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux