summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSven Eckelmann <sven@narfation.org>2026-06-26 18:11:44 +0200
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2026-07-04 13:43:30 +0200
commitbafa44ec7007465bab5aebc616f58fc8628cd952 (patch)
tree251b4a9e72c572004e8617fad127e613046ce08d
parente41903bd8ea8fe57f36bfd6ba2930e6fcab46abf (diff)
downloadlinux-stable-bafa44ec7007465bab5aebc616f58fc8628cd952.tar.gz
linux-stable-bafa44ec7007465bab5aebc616f58fc8628cd952.zip
batman-adv: frag: avoid underflow of TTL
commit 493d9d2528e1a09b090e4b37f0f553def7bd5ce9 upstream. Packets with a TTL are using it to limit the amount of time this packet can be forwarded. But for batadv_frag_packet, the TTL was always only reduced but it was never evaluated. It could even underflow without any effect. Check the TTL in batadv_frag_skb_fwd() before attempting to prepare it for forwarding. This keeps it in sync with the not fragmented unicast packet. Cc: stable@kernel.org Fixes: 610bfc6bc99b ("batman-adv: Receive fragmented packets and merge") Signed-off-by: Sven Eckelmann <sven@narfation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
-rw-r--r--net/batman-adv/fragmentation.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/net/batman-adv/fragmentation.c b/net/batman-adv/fragmentation.c
index f6714405b0f9..375c94991213 100644
--- a/net/batman-adv/fragmentation.c
+++ b/net/batman-adv/fragmentation.c
@@ -415,6 +415,13 @@ bool batadv_frag_skb_fwd(struct sk_buff *skb,
*/
total_size = ntohs(packet->total_size);
if (total_size > neigh_node->if_incoming->net_dev->mtu) {
+ if (packet->ttl < 2) {
+ kfree_skb(skb);
+ *rx_result = NET_RX_DROP;
+ ret = true;
+ goto out;
+ }
+
if (skb_cow(skb, ETH_HLEN) < 0) {
kfree_skb(skb);
*rx_result = NET_RX_DROP;