mirror of
https://github.com/openwrt/routing.git
synced 2025-02-23 11:36:14 +00:00
12b7112ae1
* Do not send uninitialized TT changes * Remove uninitialized data in full table TT response * Do not let TT changes list grows indefinitely Signed-off-by: Sven Eckelmann <sven@narfation.org>
102 lines
3.4 KiB
Diff
102 lines
3.4 KiB
Diff
From: Remi Pommarel <repk@triplefau.lt>
|
|
Date: Fri, 22 Nov 2024 16:52:49 +0100
|
|
Subject: batman-adv: Remove uninitialized data in full table TT response
|
|
|
|
The number of entries filled by batadv_tt_tvlv_generate() can be less
|
|
than initially expected in batadv_tt_prepare_tvlv_{global,local}_data()
|
|
(changes can be removed by batadv_tt_local_event() in ADD+DEL sequence
|
|
in the meantime as the lock held during the whole tvlv global/local data
|
|
generation).
|
|
|
|
Thus tvlv_len could be bigger than the actual TT entry size that need
|
|
to be sent so full table TT_RESPONSE could hold invalid TT entries such
|
|
as below.
|
|
|
|
* 00:00:00:00:00:00 -1 [....] ( 0) 88:12:4e:ad:7e:ba (179) (0x45845380)
|
|
* 00:00:00:00:78:79 4092 [.W..] ( 0) 88:12:4e:ad:7e:3c (145) (0x8ebadb8b)
|
|
|
|
Remove the extra allocated space to avoid sending uninitialized entries
|
|
for full table TT_RESPONSE in both batadv_send_other_tt_response() and
|
|
batadv_send_my_tt_response().
|
|
|
|
Fixes: 21a57f6e7a3b ("batman-adv: make the TT CRC logic VLAN specific")
|
|
Signed-off-by: Remi Pommarel <repk@triplefau.lt>
|
|
Signed-off-by: Sven Eckelmann <sven@narfation.org>
|
|
Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/095c3965bdc29e43546a9cdd21f179f952e01f48
|
|
|
|
--- a/net/batman-adv/translation-table.c
|
|
+++ b/net/batman-adv/translation-table.c
|
|
@@ -2754,14 +2754,16 @@ static bool batadv_tt_global_valid(const
|
|
*
|
|
* Fills the tvlv buff with the tt entries from the specified hash. If valid_cb
|
|
* is not provided then this becomes a no-op.
|
|
+ *
|
|
+ * Return: Remaining unused length in tvlv_buff.
|
|
*/
|
|
-static void batadv_tt_tvlv_generate(struct batadv_priv *bat_priv,
|
|
- struct batadv_hashtable *hash,
|
|
- void *tvlv_buff, u16 tt_len,
|
|
- bool (*valid_cb)(const void *,
|
|
- const void *,
|
|
- u8 *flags),
|
|
- void *cb_data)
|
|
+static u16 batadv_tt_tvlv_generate(struct batadv_priv *bat_priv,
|
|
+ struct batadv_hashtable *hash,
|
|
+ void *tvlv_buff, u16 tt_len,
|
|
+ bool (*valid_cb)(const void *,
|
|
+ const void *,
|
|
+ u8 *flags),
|
|
+ void *cb_data)
|
|
{
|
|
struct batadv_tt_common_entry *tt_common_entry;
|
|
struct batadv_tvlv_tt_change *tt_change;
|
|
@@ -2775,7 +2777,7 @@ static void batadv_tt_tvlv_generate(stru
|
|
tt_change = tvlv_buff;
|
|
|
|
if (!valid_cb)
|
|
- return;
|
|
+ return tt_len;
|
|
|
|
rcu_read_lock();
|
|
for (i = 0; i < hash->size; i++) {
|
|
@@ -2801,6 +2803,8 @@ static void batadv_tt_tvlv_generate(stru
|
|
}
|
|
}
|
|
rcu_read_unlock();
|
|
+
|
|
+ return batadv_tt_len(tt_tot - tt_num_entries);
|
|
}
|
|
|
|
/**
|
|
@@ -3076,10 +3080,11 @@ static bool batadv_send_other_tt_respons
|
|
goto out;
|
|
|
|
/* fill the rest of the tvlv with the real TT entries */
|
|
- batadv_tt_tvlv_generate(bat_priv, bat_priv->tt.global_hash,
|
|
- tt_change, tt_len,
|
|
- batadv_tt_global_valid,
|
|
- req_dst_orig_node);
|
|
+ tvlv_len -= batadv_tt_tvlv_generate(bat_priv,
|
|
+ bat_priv->tt.global_hash,
|
|
+ tt_change, tt_len,
|
|
+ batadv_tt_global_valid,
|
|
+ req_dst_orig_node);
|
|
}
|
|
|
|
/* Don't send the response, if larger than fragmented packet. */
|
|
@@ -3203,9 +3208,11 @@ static bool batadv_send_my_tt_response(s
|
|
goto out;
|
|
|
|
/* fill the rest of the tvlv with the real TT entries */
|
|
- batadv_tt_tvlv_generate(bat_priv, bat_priv->tt.local_hash,
|
|
- tt_change, tt_len,
|
|
- batadv_tt_local_valid, NULL);
|
|
+ tvlv_len -= batadv_tt_tvlv_generate(bat_priv,
|
|
+ bat_priv->tt.local_hash,
|
|
+ tt_change, tt_len,
|
|
+ batadv_tt_local_valid,
|
|
+ NULL);
|
|
}
|
|
|
|
tvlv_tt_data->flags = BATADV_TT_RESPONSE;
|