summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorSven Eckelmann <sven@narfation.org>2026-05-02 20:53:21 +0300
committerSven Eckelmann <sven@narfation.org>2026-05-12 09:33:52 +0300
commitfc92cdfcb295cefa4344d71a527d61b638b7bfc4 (patch)
tree24baae42d5779d2a0a7817dfe220051447b1dbb7
parentb64963a2ceeb7529310b6cf253a1e540784422f4 (diff)
downloadlinux-fc92cdfcb295cefa4344d71a527d61b638b7bfc4.tar.xz
batman-adv: tt: fix negative last_changeset_len
batadv_piv_tt::last_changeset_len len was declared as s16, but the field is never intended to hold a negative value. When a value greater than 32767 is assigned, it wraps to a negative signed integer. In batadv_send_my_tt_response(), last_changeset_len is temporarily widened to s32. The incorrectly negative s16 value propagates into the s32, causing batadv_tt_prepare_tvlv_local_data() to allocate a full sized buffer but populates only a small portion of it with the collected changeset. All remaining bits are kept uninitialized. Using an u16 avoids this type confusion and ensures that no (negative) sign extension is performed in batadv_send_my_tt_response(). Cc: stable@kernel.org Fixes: a73105b8d4c7 ("batman-adv: improved client announcement mechanism") Signed-off-by: Sven Eckelmann <sven@narfation.org>
-rw-r--r--net/batman-adv/types.h2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
index 888f337a194b..739439e2b235 100644
--- a/net/batman-adv/types.h
+++ b/net/batman-adv/types.h
@@ -993,7 +993,7 @@ struct batadv_priv_tt {
* @last_changeset_len: length of last tt changeset this host has
* generated
*/
- s16 last_changeset_len;
+ u16 last_changeset_len;
/**
* @last_changeset_lock: lock protecting last_changeset &