diff options
| author |   Ruide Cao <caoruide123@gmail.com> | 2026-05-13 11:58:15 +0800 |
|---|---|---|
| committer |   Sven Eckelmann <sven@narfation.org> | 2026-05-14 18:33:29 +0200 |
| commit | 9cd3f16c320bfdadd4509358122368deb56a5741 (patch) | |
| tree | 8da2b1b055da64530b6587ce289d239480426fe6 /tools/testing/selftests/dm-verity/git:/ssh:/git@git.zx2c4.com | |
| parent | batman-adv: tt: prevent TVLV entry number overflow (diff) | |
batman-adv: fix fragment reassembly length accounting
batman-adv keeps a running payload length for queued fragments and uses it
to validate a fragment chain before reassembly.
That accounting currently allows the accumulated fragment length to be
truncated during updates. As a result, malformed fragment chains can
bypass the intended validation and drive reassembly with inconsistent
length state, leading to a local denial of service.
Fix the accounting by storing the accumulated length in a length-typed
field and rejecting update overflows before the existing validation logic
runs.
The fix was verified against the original reproducer and against valid
fragment reassembly paths.
Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Ruide Cao <caoruide123@gmail.com>
Tested-by: Ren Wei <enjou1224z@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Diffstat (limited to 'tools/testing/selftests/dm-verity/git:/ssh:/git@git.zx2c4.com')
0 files changed, 0 insertions, 0 deletions