batman-adv: Merge bugfixes from 2025.3

* fix OOB read/write in network-coding decode

Signed-off-by: Sven Eckelmann <[email protected]>

diff --git a/batman-adv/Makefile b/batman-adv/Makefile
index 88cee7e4755174cd1710cb95b12a31933daa3a53..bf085633a7ec33e3e00e7d78529a6624f2f28a63 100644 (file)
--- a/batman-adv/Makefile
+++ b/batman-adv/Makefile
@@ -4,7 +4,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=batman-adv
 PKG_VERSION:=2024.3
-PKG_RELEASE:=6
+PKG_RELEASE:=7
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
 PKG_SOURCE_URL:=https://downloads.open-mesh.org/batman/releases/batman-adv-$(PKG_VERSION)

diff --git a/batman-adv/patches/0011-batman-adv-fix-OOB-read-write-in-network-coding-deco.patch b/batman-adv/patches/0011-batman-adv-fix-OOB-read-write-in-network-coding-deco.patch
new file mode 100644 (file)
index 0000000..2b77988
--- /dev/null
+++ b/batman-adv/patches/0011-batman-adv-fix-OOB-read-write-in-network-coding-deco.patch
@@ -0,0 +1,34 @@
+From: Stanislav Fort <[email protected]>
+Date: Sun, 31 Aug 2025 16:56:23 +0200
+Subject: batman-adv: fix OOB read/write in network-coding decode
+
+batadv_nc_skb_decode_packet() trusts coded_len and checks only against
+skb->len. XOR starts at sizeof(struct batadv_unicast_packet), reducing
+payload headroom, and the source skb length is not verified, allowing an
+out-of-bounds read and a small out-of-bounds write.
+
+Validate that coded_len fits within the payload area of both destination
+and source sk_buffs before XORing.
+
+Fixes: 65aa656f3be9 ("batman-adv: network coding - receive coded packets and decode them")
+Reported-by: Stanislav Fort <[email protected]>
+Signed-off-by: Stanislav Fort <[email protected]>
+Signed-off-by: Sven Eckelmann <[email protected]>
+Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/?id=afd409d7b189044fc9bf66e50de35cb1fc08a1ee
+
+--- a/net/batman-adv/network-coding.c
++++ b/net/batman-adv/network-coding.c
+@@ -1687,7 +1687,12 @@ batadv_nc_skb_decode_packet(struct batad
+ 
+       coding_len = ntohs(coded_packet_tmp.coded_len);
+ 
+-      if (coding_len > skb->len)
++      /* ensure dst buffer is large enough (payload only) */
++      if (coding_len + h_size > skb->len)
++              return NULL;
++
++      /* ensure src buffer is large enough (payload only) */
++      if (coding_len + h_size > nc_packet->skb->len)
+               return NULL;
+ 
+       /* Here the magic is reversed: