• Sven Eckelmann's avatar
    batman-adv: Only read OGM2 tvlv_len after buffer len check · 7d4201ff
    Sven Eckelmann authored
    [ Upstream commit 0ff0f15a ]
    
    Multiple batadv_ogm2_packet can be stored in an skbuff. The functions
    batadv_v_ogm_send_to_if() uses batadv_v_ogm_aggr_packet() to check if there
    is another additional batadv_ogm2_packet in the skb or not before they
    continue processing the packet.
    
    The length for such an OGM2 is BATADV_OGM2_HLEN +
    batadv_ogm2_packet->tvlv_len. The check must first check that at least
    BATADV_OGM2_HLEN bytes are available before it accesses tvlv_len (which is
    part of the header. Otherwise it might try read outside of the currently
    available skbuff to get the content of tvlv_len.
    
    Fixes: 9323158e ("batman-adv: OGMv2 - implement originators logic")
    Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
    Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
    Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
    7d4201ff
bat_v_ogm.c 27.6 KB