[PATCH] batman-adv: fix integer overflow on buff_pos

[Lyes Bourennani]

Fixing an integer overflow present in batadv_iv_ogm_send_to_if.
The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type.
This could lead to an out-of-bound read.

Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")

Signed-off-by: Lyes Bourennani <lbour...@fuzzinglabs.com>
Signed-off-by: Alexis Pinson <api...@fuzzinglabs.com>
---
net/batman-adv/bat_iv_ogm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index f28e9cbf8ad5..618d1889c04e 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -335,7 +335,7 @@ static void batadv_iv_ogm_send_to_if(struct batadv_forw_packet *forw_packet,
struct batadv_priv *bat_priv = netdev_priv(hard_iface->mesh_iface);
const char *fwd_str;
u8 packet_num;
- s16 buff_pos;
+ int buff_pos;
struct batadv_ogm_packet *batadv_ogm_packet;
struct sk_buff *skb;
u8 *packet_pos;
--
2.43.0

[Sven Eckelmann]

On Wednesday, 22 April 2026 00:20:22 CEST Lyes Bourennani wrote:
> Fixing an integer overflow present in batadv_iv_ogm_send_to_if.
> The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type.
> This could lead to an out-of-bound read.
>
> Fixes: c6c8fea29769 ("net: Add batman-adv meshing protocol")
>
> Signed-off-by: Lyes Bourennani <lbour...@fuzzinglabs.com>
> Signed-off-by: Alexis Pinson <api...@fuzzinglabs.com>
> ---

Applied after fixing style issues in the commit message:

$ b4 mbox 20260421222022.21...@fuzzinglabs.com
$ ./scripts/checkpatch.pl --strict 20260421222022.21...@fuzzinglabs.com.mbx
WARNING: Prefer a maximum 75 chars per line (possible unwrapped commit description?)
#147:

The size check is done using the int type in batadv_iv_ogm_aggr_packet whereas the buff_pos variable uses the s16 type.

total: 0 errors, 1 warnings, 0 checks, 8 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
mechanically convert to the typical style using --fix or --fix-inplace.

20260421222022.21...@fuzzinglabs.com.mbx has style problems, please review.

NOTE: If any of the errors are false positives, please report
them to the maintainer, see CHECKPATCH in MAINTAINERS

Overall, it is unclear to me how Alexis Pinson <api...@fuzzinglabs.com> is
part of the chain. Lyes Bourennani is the author and Lyes Bourennani submitted
the patch. See the documentation [1]:

> Any further SoBs (Signed-off-by:’s) following the author’s SoB are from
> people handling and transporting the patch, but were not involved in its
> development. SoB chains should reflect the real route a patch took as it was
> propagated to the maintainers and ultimately to Linus, with the first SoB
> entry signalling primary authorship of a single author.


If you want to say that Alexis Pinson also developed this, you would usually
say "Co-developed-by: ..." followed by the Signed-off-by [1] from the same
person. And only then the Signed-off-by of the submitting Co-author. You
might better understand it when looking at the examples.

[1/1] batman-adv: fix integer overflow on buff_pos
https://git.open-mesh.org/linux-merge.git/commit/?h=batadv/net&id=ef6f94dbf35185c19d37bdb9cdd96bf0a6e985e4


[1] https://docs.kernel.org/process/submitting-patches.html#developer-s-certificate-of-origin-1-1
[2] https://docs.kernel.org/process/submitting-patches.html#when-to-use-acked-by-cc-and-co-developed-by

Best regards,
---
Sven

[Lyes Bourennani]

On Wed, 2026-04-22 at 13:38 +0200, Sven Eckelmann wrote:
> Overall, it is unclear to me how Alexis Pinson <api...@fuzzinglabs.com> is
> part of the chain. Lyes Bourennani is the author and Lyes Bourennani submitted
> the patch. See the documentation [1]:
>
>
>

Sorry for the inconvenience, we thank you for the help and the guidance.
We take note of the documentation and will do better next time.

Regards,

Alexis and Lyes