[PATCH batadv 4/8] batman-adv: tt: fix negative tt_buff_len

Next message: Sven Eckelmann: "[PATCH batadv 5/8] batman-adv: tt: reject oversized local TVLV buffers"
Previous message: Sven Eckelmann: "[PATCH batadv 3/8] batman-adv: bla: only purge non-released claims"
In reply to: Sven Eckelmann: "[PATCH batadv 3/8] batman-adv: bla: only purge non-released claims"
Next in thread: Sven Eckelmann: "[PATCH batadv 5/8] batman-adv: tt: reject oversized local TVLV buffers"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Sven Eckelmann

Date: Sun May 03 2026 - 08:26:05 EST

batadv_orig_node::tt_buff_len was declared as s16, but the field is never
intended to hold a negative value. When a value greater than 32767 is
assigned, it wraps to a negative signed integer.

In batadv_send_other_tt_response(), tt_buff_len is temporarily widened to
s32. The incorrectly negative s16 value propagates into the s32, causing
batadv_tt_prepare_tvlv_global_data() to allocate a full sized buffer but
populates only a small portion of it with the collected changeset. All
remaining bits are kept uninitialized.

Using an u16 avoids this type confusion and ensures that no (negative) sign
extension is performed in batadv_send_other_tt_response().

Cc: stable@xxxxxxxxxx
Fixes: a73105b8d4c7 ("batman-adv: improved client announcement mechanism")
Signed-off-by: Sven Eckelmann <sven@xxxxxxxxxxxxx>
---
net/batman-adv/types.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
index daa06f421154..0f3814b458cc 100644
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -452,7 +452,7 @@ struct batadv_orig_node {
* @tt_buff_len: length of the last tt changeset this node received
* from the orig node
*/
- s16 tt_buff_len;
+ u16 tt_buff_len;

/** @tt_buff_lock: lock that protects tt_buff and tt_buff_len */
spinlock_t tt_buff_lock;

--
2.47.3