Merge tag 'batadv-net-pullrequest-20250901' of https://git.open-mesh.org/linux-merge

Simon Wunderlich says: ==================== Here is a batman-adv bugfix: - fix OOB read/write in network-coding decode, by Stanislav Fort * tag 'batadv-net-pullrequest-20250901' of https://git.open-mesh.org/linux-merge: batman-adv: fix OOB read/write in network-coding decode ==================== Link: https://patch.msgid.link/ Signed-off-by: Jakub Kicinski <kuba@kernel.org>
author: Jakub Kicinski <kuba@kernel.org> 2025-09-01 13:35:36 -0700
committer: Jakub Kicinski <kuba@kernel.org> 2025-09-01 13:35:37 -0700
commit: aca701c61822d996f38b328d38d3b5d62a9f49b5 (patch)
tree: 453611d5ec145936478792c3b26fd5b4c87b1861
parent: 030e1c45666629f72d0fc1d040f9d2915680de8e (diff)
parent: d77b6ff0ce35a6d0b0b7b9581bc3f76d041d4087 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/net/batman-adv/network-coding.c b/net/batman-adv/network-coding.c
index 9f56308779cc..af97d077369f 100644
--- a/net/batman-adv/network-coding.c
+++ b/net/batman-adv/network-coding.c
@@ -1687,7 +1687,12 @@ batadv_nc_skb_decode_packet(struct batadv_priv *bat_priv, struct sk_buff *skb,
 
 	coding_len = ntohs(coded_packet_tmp.coded_len);
 
-	if (coding_len > skb->len)
+	/* ensure dst buffer is large enough (payload only) */
+	if (coding_len + h_size > skb->len)
+		return NULL;
+
+	/* ensure src buffer is large enough (payload only) */
+	if (coding_len + h_size > nc_packet->skb->len)
 		return NULL;
 
 	/* Here the magic is reversed:
author	Jakub Kicinski <kuba@kernel.org>	2025-09-01 13:35:36 -0700
committer	Jakub Kicinski <kuba@kernel.org>	2025-09-01 13:35:37 -0700
commit	aca701c61822d996f38b328d38d3b5d62a9f49b5 (patch)
tree	453611d5ec145936478792c3b26fd5b4c87b1861
parent	030e1c45666629f72d0fc1d040f9d2915680de8e (diff)
parent	d77b6ff0ce35a6d0b0b7b9581bc3f76d041d4087 (diff)