batman-adv: Remove uninitialized data in full table TT response
[ Upstream commit 8038806db64da15721775d6b834990cacbfcf0b2 ]
The number of entries filled by batadv_tt_tvlv_generate() can be less
than initially expected in batadv_tt_prepare_tvlv_{global,local}_data()
(changes can be removed by batadv_tt_local_event() in ADD+DEL sequence
in the meantime as the lock held during the whole tvlv global/local data
generation).
Thus tvlv_len could be bigger than the actual TT entry size that need
to be sent so full table TT_RESPONSE could hold invalid TT entries such
as below.
* 00:00:00:00:00:00 -1 [....] ( 0) 88:12:4e:ad:7e:ba (179) (0x45845380)
* 00:00:00:00:78:79 4092 [.W..] ( 0) 88:12:4e:ad:7e:3c (145) (0x8ebadb8b)
Remove the extra allocated space to avoid sending uninitialized entries
for full table TT_RESPONSE in both batadv_send_other_tt_response() and
batadv_send_my_tt_response().
Fixes: 7ea7b4a14275 ("batman-adv: make the TT CRC logic VLAN specific")
Signed-off-by: Remi Pommarel <repk@triplefau.lt>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This commit is contained in:
Remi Pommarel
Ksawlii
parent
66e7a8ea65
commit
d66ca5c27e
1 changed files with 22 additions and 15 deletions
|
|
@ -2984,14 +2984,16 @@ static bool batadv_tt_global_valid(const void *entry_ptr,
|
|||
*
|
||||
* Fills the tvlv buff with the tt entries from the specified hash. If valid_cb
|
||||
* is not provided then this becomes a no-op.
|
||||
*
|
||||
* Return: Remaining unused length in tvlv_buff.
|
||||
*/
|
||||
static void batadv_tt_tvlv_generate(struct batadv_priv *bat_priv,
|
||||
struct batadv_hashtable *hash,
|
||||
void *tvlv_buff, u16 tt_len,
|
||||
bool (*valid_cb)(const void *,
|
||||
const void *,
|
||||
u8 *flags),
|
||||
void *cb_data)
|
||||
static u16 batadv_tt_tvlv_generate(struct batadv_priv *bat_priv,
|
||||
struct batadv_hashtable *hash,
|
||||
void *tvlv_buff, u16 tt_len,
|
||||
bool (*valid_cb)(const void *,
|
||||
const void *,
|
||||
u8 *flags),
|
||||
void *cb_data)
|
||||
{
|
||||
struct batadv_tt_common_entry *tt_common_entry;
|
||||
struct batadv_tvlv_tt_change *tt_change;
|
||||
|
|
@ -3005,7 +3007,7 @@ static void batadv_tt_tvlv_generate(struct batadv_priv *bat_priv,
|
|||
tt_change = (struct batadv_tvlv_tt_change *)tvlv_buff;
|
||||
|
||||
if (!valid_cb)
|
||||
return;
|
||||
return tt_len;
|
||||
|
||||
rcu_read_lock();
|
||||
for (i = 0; i < hash->size; i++) {
|
||||
|
|
@ -3031,6 +3033,8 @@ static void batadv_tt_tvlv_generate(struct batadv_priv *bat_priv,
|
|||
}
|
||||
}
|
||||
rcu_read_unlock();
|
||||
|
||||
return batadv_tt_len(tt_tot - tt_num_entries);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -3308,10 +3312,11 @@ static bool batadv_send_other_tt_response(struct batadv_priv *bat_priv,
|
|||
goto out;
|
||||
|
||||
/* fill the rest of the tvlv with the real TT entries */
|
||||
batadv_tt_tvlv_generate(bat_priv, bat_priv->tt.global_hash,
|
||||
tt_change, tt_len,
|
||||
batadv_tt_global_valid,
|
||||
req_dst_orig_node);
|
||||
tvlv_len -= batadv_tt_tvlv_generate(bat_priv,
|
||||
bat_priv->tt.global_hash,
|
||||
tt_change, tt_len,
|
||||
batadv_tt_global_valid,
|
||||
req_dst_orig_node);
|
||||
}
|
||||
|
||||
/* Don't send the response, if larger than fragmented packet. */
|
||||
|
|
@ -3437,9 +3442,11 @@ static bool batadv_send_my_tt_response(struct batadv_priv *bat_priv,
|
|||
goto out;
|
||||
|
||||
/* fill the rest of the tvlv with the real TT entries */
|
||||
batadv_tt_tvlv_generate(bat_priv, bat_priv->tt.local_hash,
|
||||
tt_change, tt_len,
|
||||
batadv_tt_local_valid, NULL);
|
||||
tvlv_len -= batadv_tt_tvlv_generate(bat_priv,
|
||||
bat_priv->tt.local_hash,
|
||||
tt_change, tt_len,
|
||||
batadv_tt_local_valid,
|
||||
NULL);
|
||||
}
|
||||
|
||||
tvlv_tt_data->flags = BATADV_TT_RESPONSE;
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue