Commit 907742aa authored by Sven Eckelmann's avatar Sven Eckelmann Committed by Ben Hutchings

batman-adv: Check for alloc errors when preparing TT local data

commit c2d0f48a upstream.

batadv_tt_prepare_tvlv_local_data can fail to allocate the memory for the
new TVLV block. The caller is informed about this problem with the returned
length of 0. Not checking this value results in an invalid memory access
when either tt_data or tt_change is accessed.
Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Fixes: 7ea7b4a1 ("batman-adv: make the TT CRC logic VLAN specific")
Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
Signed-off-by: default avatarSimon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
parent 1344f5b6
...@@ -2722,7 +2722,7 @@ static bool batadv_send_my_tt_response(struct batadv_priv *bat_priv, ...@@ -2722,7 +2722,7 @@ static bool batadv_send_my_tt_response(struct batadv_priv *bat_priv,
&tvlv_tt_data, &tvlv_tt_data,
&tt_change, &tt_change,
&tt_len); &tt_len);
if (!tt_len) if (!tt_len || !tvlv_len)
goto unlock; goto unlock;
/* Copy the last orig_node's OGM buffer */ /* Copy the last orig_node's OGM buffer */
...@@ -2740,7 +2740,7 @@ static bool batadv_send_my_tt_response(struct batadv_priv *bat_priv, ...@@ -2740,7 +2740,7 @@ static bool batadv_send_my_tt_response(struct batadv_priv *bat_priv,
&tvlv_tt_data, &tvlv_tt_data,
&tt_change, &tt_change,
&tt_len); &tt_len);
if (!tt_len) if (!tt_len || !tvlv_len)
goto out; goto out;
/* fill the rest of the tvlv with the real TT entries */ /* fill the rest of the tvlv with the real TT entries */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment