mirror of https://github.com/torvalds/linux.git
d77b6ff0ce
batadv_nc_skb_decode_packet() trusts coded_len and checks only against
skb->len. XOR starts at sizeof(struct batadv_unicast_packet), reducing
payload headroom, and the source skb length is not verified, allowing an
out-of-bounds read and a small out-of-bounds write.
Validate that coded_len fits within the payload area of both destination
and source sk_buffs before XORing.
Fixes:
|
||
|---|---|---|
| .. | ||
| Kconfig | ||
| Makefile | ||
| bat_algo.c | ||
| bat_algo.h | ||
| bat_iv_ogm.c | ||
| bat_iv_ogm.h | ||
| bat_v.c | ||
| bat_v.h | ||
| bat_v_elp.c | ||
| bat_v_elp.h | ||
| bat_v_ogm.c | ||
| bat_v_ogm.h | ||
| bitarray.c | ||
| bitarray.h | ||
| bridge_loop_avoidance.c | ||
| bridge_loop_avoidance.h | ||
| distributed-arp-table.c | ||
| distributed-arp-table.h | ||
| fragmentation.c | ||
| fragmentation.h | ||
| gateway_client.c | ||
| gateway_client.h | ||
| gateway_common.c | ||
| gateway_common.h | ||
| hard-interface.c | ||
| hard-interface.h | ||
| hash.c | ||
| hash.h | ||
| log.c | ||
| log.h | ||
| main.c | ||
| main.h | ||
| mesh-interface.c | ||
| mesh-interface.h | ||
| multicast.c | ||
| multicast.h | ||
| multicast_forw.c | ||
| netlink.c | ||
| netlink.h | ||
| network-coding.c | ||
| network-coding.h | ||
| originator.c | ||
| originator.h | ||
| routing.c | ||
| routing.h | ||
| send.c | ||
| send.h | ||
| tp_meter.c | ||
| tp_meter.h | ||
| trace.c | ||
| trace.h | ||
| translation-table.c | ||
| translation-table.h | ||
| tvlv.c | ||
| tvlv.h | ||
| types.h | ||