Commit d77b6ff0 authored Aug 31, 2025 by Stanislav Fort Committed by Simon Wunderlich Aug 31, 2025

batman-adv: fix OOB read/write in network-coding decode



batadv_nc_skb_decode_packet() trusts coded_len and checks only against
skb->len. XOR starts at sizeof(struct batadv_unicast_packet), reducing
payload headroom, and the source skb length is not verified, allowing an
out-of-bounds read and a small out-of-bounds write.

Validate that coded_len fits within the payload area of both destination
and source sk_buffs before XORing.

Fixes: 2df5278b ("batman-adv: network coding - receive coded packets and decode them")
Cc: stable@vger.kernel.org
Reported-by: Stanislav Fort <disclosure@aisle.com>
Signed-off-by: Stanislav Fort <stanislav.fort@aisle.com>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>

parent 6439a0e6

Show whitespace changes

Inline Side-by-side

CodeLinaro @codelinaro
mentioned in commit 1e36c6c8
· Nov 05, 2025

mentioned in commit 1e36c6c8

mentioned in commit 1e36c6c8dc8023b4bbe9a16e819f9998b9b6a183

Toggle commit list
CodeLinaro @codelinaro
mentioned in commit 5d334bce
· Nov 05, 2025

mentioned in commit 5d334bce

mentioned in commit 5d334bce9fad58cf328d8fa14ea1fff855819863

Toggle commit list

Please to comment