On Tuesday, December 26, 2017 3:14:01 PM CET Sven Eckelmann wrote:
batman-adv uses internal indices for each enabled and active interface. It is currently used by the B.A.T.M.A.N. IV algorithm to identifify the correct position in the ogm_cnt bitmaps.
The type for the number of enabled interfaces (which defines the next interface index) was set to char. This type can be (depending on the architecture) either signed (limiting batman-adv to 127 active slave interfaces) or unsigned (limiting batman-adv to 255 active slave interfaces).
This limit was not correctly checked when an interface was enabled and thus an overflow happened. This was only catched on systems with the signed char type when the B.A.T.M.A.N. IV code tried to resize its counter arrays with a negative size.
The if_num interface index was only a s16 and therefore significantly smaller than the ifindex (int) used by the code net code.
Both &batadv_hard_iface->if_num and &batadv_priv->num_ifaces must be (unsigned) int to support the same number of slave interfaces as the net core code. And the interface activation code must check the number of active slave interfaces to avoid integer overflows.
Fixes: d1fbb61d0534 ("raw socket operations added: create / destroy / bind / send broadcast of own OGMs implemented orig interval configurable via /proc/net/batman-adv/orig_interval") Fixes: ea6f8d42a595 ("batman-adv: move /proc interface handling to /sys") Signed-off-by: Sven Eckelmann sven@narfation.org
Applied in d5db560d. As discussed, I've applied this into the master branch to avoid merge conflicts, since we are about to release anyway.
Thank you! Simon