| From: =?UTF-8?q?Linus=20L=C3=BCssing?= <linus.luessing@c0d3.blue> |
| Date: Thu, 7 Jun 2018 00:46:24 +0200 |
| Subject: batman-adv: Fix multicast TT issues with bogus ROAM flags |
| MIME-Version: 1.0 |
| Content-Type: text/plain; charset=UTF-8 |
| Content-Transfer-Encoding: 8bit |
| |
| commit a44ebeff6bbd6ef50db41b4195fca87b21aefd20 upstream. |
| |
| When a (broken) node wrongly sends multicast TT entries with a ROAM |
| flag then this causes any receiving node to drop all entries for the |
| same multicast MAC address announced by other nodes, leading to |
| packet loss. |
| |
| Fix this DoS vector by only storing TT sync flags. For multicast TT |
| non-sync'ing flag bits like ROAM are unused so far anyway. |
| |
| Fixes: 1d8ab8d3c176 ("batman-adv: Modified forwarding behaviour for multicast packets") |
| Reported-by: Leonardo Mörlein <me@irrelefant.net> |
| Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue> |
| Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| net/batman-adv/translation-table.c | 6 ++++-- |
| 1 file changed, 4 insertions(+), 2 deletions(-) |
| |
| --- a/net/batman-adv/translation-table.c |
| +++ b/net/batman-adv/translation-table.c |
| @@ -1378,7 +1378,8 @@ static bool batadv_tt_global_add(struct |
| ether_addr_copy(common->addr, tt_addr); |
| common->vid = vid; |
| |
| - common->flags = flags & (~BATADV_TT_SYNC_MASK); |
| + if (!is_multicast_ether_addr(common->addr)) |
| + common->flags = flags & (~BATADV_TT_SYNC_MASK); |
| |
| tt_global_entry->roam_at = 0; |
| /* node must store current time in case of roaming. This is |
| @@ -1435,7 +1436,8 @@ static bool batadv_tt_global_add(struct |
| * TT_CLIENT_TEMP, therefore they have to be copied in the |
| * client entry |
| */ |
| - common->flags |= flags & (~BATADV_TT_SYNC_MASK); |
| + if (!is_multicast_ether_addr(common->addr)) |
| + common->flags |= flags & (~BATADV_TT_SYNC_MASK); |
| |
| /* If there is the BATADV_TT_CLIENT_ROAM flag set, there is only |
| * one originator left in the list and we previously received a |