aboutsummaryrefslogtreecommitdiffstatshomepage
diff options
context:
space:
mode:
authorJakub Kicinski <kuba@kernel.org>2025-09-01 13:35:36 -0700
committerJakub Kicinski <kuba@kernel.org>2025-09-01 13:35:37 -0700
commitaca701c61822d996f38b328d38d3b5d62a9f49b5 (patch)
tree453611d5ec145936478792c3b26fd5b4c87b1861
parentmacsec: read MACSEC_SA_ATTR_PN with nla_get_uint (diff)
parentbatman-adv: fix OOB read/write in network-coding decode (diff)
downloadwireguard-linux-aca701c61822d996f38b328d38d3b5d62a9f49b5.tar.xz
wireguard-linux-aca701c61822d996f38b328d38d3b5d62a9f49b5.zip
Merge tag 'batadv-net-pullrequest-20250901' of https://git.open-mesh.org/linux-merge
Simon Wunderlich says: ==================== Here is a batman-adv bugfix: - fix OOB read/write in network-coding decode, by Stanislav Fort * tag 'batadv-net-pullrequest-20250901' of https://git.open-mesh.org/linux-merge: batman-adv: fix OOB read/write in network-coding decode ==================== Link: https://patch.msgid.link/ Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat
-rw-r--r--net/batman-adv/network-coding.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/net/batman-adv/network-coding.c b/net/batman-adv/network-coding.c
index 9f56308779cc..af97d077369f 100644
--- a/net/batman-adv/network-coding.c
+++ b/net/batman-adv/network-coding.c
@@ -1687,7 +1687,12 @@ batadv_nc_skb_decode_packet(struct batadv_priv *bat_priv, struct sk_buff *skb,
coding_len = ntohs(coded_packet_tmp.coded_len);
- if (coding_len > skb->len)
+ /* ensure dst buffer is large enough (payload only) */
+ if (coding_len + h_size > skb->len)
+ return NULL;
+
+ /* ensure src buffer is large enough (payload only) */
+ if (coding_len + h_size > nc_packet->skb->len)
return NULL;
/* Here the magic is reversed:
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.