Re: [PATCH v3 1/5] batman-adv: Do not send uninitialized TT changes

Thu, 21 Nov 2024 05:06:15 -0800 

On 20/11/2024 18:47, Remi Pommarel wrote:

The number of TT changes can be less than initially expected in
batadv_tt_tvlv_container_update() (changes can be removed by
batadv_tt_local_event() in ADD+DEL sequence between reading
tt_diff_entries_num and actually iterating the change list under lock).

Thus tt_diff_len could be bigger than the actual changes size that need
to be sent. Because batadv_send_my_tt_response sends the whole
packet, uninitialized data can be interpreted as TT changes on other
nodes leading to weird TT global entries on those nodes such as:

  * 00:00:00:00:00:00   -1 [....] (  0) 88:12:4e:ad:7e:ba (179) (0x45845380)
  * 00:00:00:00:78:79 4092 [.W..] (  0) 88:12:4e:ad:7e:3c (145) (0x8ebadb8b)

All of the above also applies to OGM tvlv container buffer's tvlv_len.

Remove the extra allocated space to avoid sending uninitialized TT
changes in batadv_send_my_tt_response() and batadv_v_ogm_send_softif().

Fixes: e1bf0c14096f ("batman-adv: tvlv - convert tt data sent within OGMs")
Signed-off-by: Remi Pommarel <[email protected]>
---
  net/batman-adv/translation-table.c | 7 +++++++
  1 file changed, 7 insertions(+)

diff --git a/net/batman-adv/translation-table.c 
b/net/batman-adv/translation-table.c
index 2243cec18ecc..f0590f9bc2b1 100644
--- a/net/batman-adv/translation-table.c
+++ b/net/batman-adv/translation-table.c
@@ -990,6 +990,7 @@ static void batadv_tt_tvlv_container_update(struct 
batadv_priv *bat_priv)
        int tt_diff_len, tt_change_len = 0;
        int tt_diff_entries_num = 0;
        int tt_diff_entries_count = 0;
+       size_t tt_extra_len = 0;
        u16 tvlv_len;
tt_diff_entries_num = atomic_read(&bat_priv->tt.local_changes); 
@@ -1027,6 +1028,9 @@ static void batadv_tt_tvlv_container_update(struct 
batadv_priv *bat_priv)
        }
        spin_unlock_bh(&bat_priv->tt.changes_list_lock);
what speaks against acquiring tt.changes_list_lock before reading tt.local_changes? (and making sure the writer does the update under lock too) Any reason for not pursuing that path? 

That should guarantee consistency across the counter and the list.
We could also have the situation where an ADD only comes between reading the counter and iterating over the list. In this case we don't send random memory, but we still send a somewhat inconsistent changeset. 


Regards,

--
Antonio Quartulli

Reply via email to