| From foo@baz Tue Nov 23 01:39:02 PM CET 2021 |
| From: Sven Eckelmann <sven@narfation.org> |
| Date: Sat, 20 Nov 2021 13:39:30 +0100 |
| Subject: batman-adv: Fix multicast TT issues with bogus ROAM flags |
| To: stable@vger.kernel.org |
| Cc: b.a.t.m.a.n@lists.open-mesh.org, "Linus Lüssing" <linus.luessing@c0d3.blue>, "Leonardo Mörlein" <me@irrelefant.net>, "Simon Wunderlich" <sw@simonwunderlich.de>, "Sven Eckelmann" <sven@narfation.org> |
| Message-ID: <20211120123939.260723-3-sven@narfation.org> |
| |
| From: Linus Lüssing <linus.luessing@c0d3.blue> |
| |
| commit a44ebeff6bbd6ef50db41b4195fca87b21aefd20 upstream. |
| |
| When a (broken) node wrongly sends multicast TT entries with a ROAM |
| flag then this causes any receiving node to drop all entries for the |
| same multicast MAC address announced by other nodes, leading to |
| packet loss. |
| |
| Fix this DoS vector by only storing TT sync flags. For multicast TT |
| non-sync'ing flag bits like ROAM are unused so far anyway. |
| |
| Fixes: 1d8ab8d3c176 ("batman-adv: Modified forwarding behaviour for multicast packets") |
| Reported-by: Leonardo Mörlein <me@irrelefant.net> |
| Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue> |
| Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de> |
| [ bp: 4.4 backported: adjust context, use old style to access flags ] |
| Signed-off-by: Sven Eckelmann <sven@narfation.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/batman-adv/translation-table.c | 6 ++++-- |
| 1 file changed, 4 insertions(+), 2 deletions(-) |
| |
| --- a/net/batman-adv/translation-table.c |
| +++ b/net/batman-adv/translation-table.c |
| @@ -1426,7 +1426,8 @@ static bool batadv_tt_global_add(struct |
| ether_addr_copy(common->addr, tt_addr); |
| common->vid = vid; |
| |
| - common->flags = flags & (~BATADV_TT_SYNC_MASK); |
| + if (!is_multicast_ether_addr(common->addr)) |
| + common->flags = flags & (~BATADV_TT_SYNC_MASK); |
| |
| tt_global_entry->roam_at = 0; |
| /* node must store current time in case of roaming. This is |
| @@ -1489,7 +1490,8 @@ static bool batadv_tt_global_add(struct |
| * TT_CLIENT_WIFI, therefore they have to be copied in the |
| * client entry |
| */ |
| - tt_global_entry->common.flags |= flags & (~BATADV_TT_SYNC_MASK); |
| + if (!is_multicast_ether_addr(common->addr)) |
| + tt_global_entry->common.flags |= flags & (~BATADV_TT_SYNC_MASK); |
| |
| /* If there is the BATADV_TT_CLIENT_ROAM flag set, there is only |
| * one originator left in the list and we previously received a |