Commit 8038806d authored by Remi Pommarel's avatar Remi Pommarel Committed by Simon Wunderlich
Browse files

batman-adv: Remove uninitialized data in full table TT response 



The number of entries filled by batadv_tt_tvlv_generate() can be less
than initially expected in batadv_tt_prepare_tvlv_{global,local}_data()
(changes can be removed by batadv_tt_local_event() in ADD+DEL sequence
in the meantime as the lock held during the whole tvlv global/local data
generation).

Thus tvlv_len could be bigger than the actual TT entry size that need
to be sent so full table TT_RESPONSE could hold invalid TT entries such
as below.

 * 00:00:00:00:00:00   -1 [....] (  0) 88:12:4e:ad:7e:ba (179) (0x45845380)
 * 00:00:00:00:78:79 4092 [.W..] (  0) 88:12:4e:ad:7e:3c (145) (0x8ebadb8b)

Remove the extra allocated space to avoid sending uninitialized entries
for full table TT_RESPONSE in both batadv_send_other_tt_response() and
batadv_send_my_tt_response().

Fixes: 7ea7b4a1 ("batman-adv: make the TT CRC logic VLAN specific")
Signed-off-by: default avatarRemi Pommarel <repk@triplefau.lt>
Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
parent f2f7358c

net/batman-adv/translation-table.c

+22 −15
Original line number Diff line number Diff line
@@ -2712,8 +2712,10 @@ static bool batadv_tt_global_valid(const void *entry_ptr, 
 *

 * Fills the tvlv buff with the tt entries from the specified hash. If valid_cb

 * is not provided then this becomes a no-op.

 *

 * Return: Remaining unused length in tvlv_buff.

 */

static void batadv_tt_tvlv_generate(struct batadv_priv *bat_priv,

static u16 batadv_tt_tvlv_generate(struct batadv_priv *bat_priv,

				   struct batadv_hashtable *hash,

				   void *tvlv_buff, u16 tt_len,

				   bool (*valid_cb)(const void *,
@@ -2733,7 +2735,7 @@ static void batadv_tt_tvlv_generate(struct batadv_priv *bat_priv, 
	tt_change = tvlv_buff;



	if (!valid_cb)

		return;

		return tt_len;



	rcu_read_lock();

	for (i = 0; i < hash->size; i++) {
@@ -2759,6 +2761,8 @@ static void batadv_tt_tvlv_generate(struct batadv_priv *bat_priv, 
		}

	}

	rcu_read_unlock();



	return batadv_tt_len(tt_tot - tt_num_entries);

}



/**
@@ -3029,7 +3033,8 @@ static bool batadv_send_other_tt_response(struct batadv_priv *bat_priv, 
			goto out;



		/* fill the rest of the tvlv with the real TT entries */

		batadv_tt_tvlv_generate(bat_priv, bat_priv->tt.global_hash,

		tvlv_len -= batadv_tt_tvlv_generate(bat_priv,

						    bat_priv->tt.global_hash,

						    tt_change, tt_len,

						    batadv_tt_global_valid,

						    req_dst_orig_node);
@@ -3156,9 +3161,11 @@ static bool batadv_send_my_tt_response(struct batadv_priv *bat_priv, 
			goto out;



		/* fill the rest of the tvlv with the real TT entries */

		batadv_tt_tvlv_generate(bat_priv, bat_priv->tt.local_hash,

		tvlv_len -= batadv_tt_tvlv_generate(bat_priv,

						    bat_priv->tt.local_hash,

						    tt_change, tt_len,

					batadv_tt_local_valid, NULL);

						    batadv_tt_local_valid,

						    NULL);

	}



	tvlv_tt_data->flags = BATADV_TT_RESPONSE;