diff options
| author | Sven Eckelmann <sven@narfation.org> | 2026-05-13 09:01:36 +0200 |
|---|---|---|
| committer | Sven Eckelmann <sven@narfation.org> | 2026-05-15 10:41:49 +0200 |
| commit | bc62216dc8e221e3781afa14430f45208bfa9af9 (patch) | |
| tree | 8e0bcf37af101f464e9226c42979f8d6ef847fb0 /include | |
| parent | 6c65cf23d4c6170fcf5714c32aa64689718cb142 (diff) | |
batman-adv: frag: disallow unicast fragment in fragment
batadv_frag_skb_buffer() is called by batadv_batman_skb_recv() when a
BATADV_UNICAST_FRAG packet is received. Once all fragments are collected
and the packet is reassembled, batadv_recv_frag_packet() calls
batadv_batman_skb_recv() again to process the defragmented payload.
A malicious sender can craft a BATADV_UNICAST_FRAG packet whose reassembled
payload is itself a BATADV_UNICAST_FRAG packet (matryoshka-style nesting).
Each nesting level recurses through batadv_batman_skb_recv() without bound,
growing the kernel stack until it is exhausted.
Since refragmentation or fragments in fragments are not actually allowed,
discard all packets which are still BATADV_UNICAST_FRAG packets after the
defragmentation process.
Cc: stable@kernel.org
Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge")
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Reviewed-by: Yuan Tan <yuantan098@gmail.com>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Diffstat (limited to 'include')
0 files changed, 0 insertions, 0 deletions