1 From: Linus Lüssing <linus.luessing@c0d3.blue>
2 Date: Thu, 6 Jul 2017 07:02:25 +0200
3 Subject: batman-adv: fix TT sync flag inconsistencies
5 This patch fixes an issue in the translation table code potentially
6 leading to a TT Request + Response storm. The issue may occur for nodes
7 involving BLA and an inconsistent configuration of the batman-adv AP
8 isolation feature. However, since the new multicast optimizations, a
9 single, malformed packet may lead to a mesh-wide, persistent
10 Denial-of-Service, too.
12 The issue occurs because nodes are currently OR-ing the TT sync flags of
13 all originators announcing a specific MAC address via the
14 translation table. When an intermediate node now receives a TT Request
15 and wants to answer this on behalf of the destination node, then this
16 intermediate node now responds with an altered flag field and broken
17 CRC. The next OGM of the real destination will lead to a CRC mismatch
18 and triggering a TT Request and Response again.
20 Furthermore, the OR-ing is currently never undone as long as at least
21 one originator announcing the according MAC address remains, leading to
22 the potential persistency of this issue.
24 This patch fixes this issue by storing the flags used in the CRC
25 calculation on a a per TT orig entry basis to be able to respond with
26 the correct, original flags in an intermediate TT Response for one
27 thing. And to be able to correctly unset sync flags once all nodes
28 announcing a sync flag vanish for another.
30 Fixes: fa614fd04692 ("batman-adv: fix tt_global_entries flags update")
31 Signed-off-by: Linus Lüssing <linus.luessing@c0d3.blue>
32 Acked-by: Antonio Quartulli <a@unstable.cc>
33 [sw: typo in commit message]
34 Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
36 Origin: upstream, https://git.open-mesh.org/batman-adv.git/commit/382d020fe3fa528b1f65f8107df8fc023eb8cacb
38 diff --git a/net/batman-adv/translation-table.c b/net/batman-adv/translation-table.c
39 index 199da2abe6ab92161ab66faa01fa3d06aeb68c89..a64003b824e0d0b05f0a9e44ccc32ba0cb3018fc 100644
40 --- a/net/batman-adv/translation-table.c
41 +++ b/net/batman-adv/translation-table.c
42 @@ -1549,9 +1549,41 @@ batadv_tt_global_entry_has_orig(const struct batadv_tt_global_entry *entry,
47 + * batadv_tt_global_sync_flags - update TT sync flags
48 + * @tt_global: the TT global entry to update sync flags in
50 + * Updates the sync flag bits in the tt_global flag attribute with a logical
51 + * OR of all sync flags from any of its TT orig entries.
54 +batadv_tt_global_sync_flags(struct batadv_tt_global_entry *tt_global)
56 + struct batadv_tt_orig_list_entry *orig_entry;
57 + const struct hlist_head *head;
58 + u16 flags = BATADV_NO_FLAGS;
61 + head = &tt_global->orig_list;
62 + hlist_for_each_entry_rcu(orig_entry, head, list)
63 + flags |= orig_entry->flags;
66 + flags |= tt_global->common.flags & (~BATADV_TT_SYNC_MASK);
67 + tt_global->common.flags = flags;
71 + * batadv_tt_global_orig_entry_add - add or update a TT orig entry
72 + * @tt_global: the TT global entry to add an orig entry in
73 + * @orig_node: the originator to add an orig entry for
74 + * @ttvn: translation table version number of this changeset
75 + * @flags: TT sync flags
78 batadv_tt_global_orig_entry_add(struct batadv_tt_global_entry *tt_global,
79 - struct batadv_orig_node *orig_node, int ttvn)
80 + struct batadv_orig_node *orig_node, int ttvn,
83 struct batadv_tt_orig_list_entry *orig_entry;
85 @@ -1561,7 +1593,8 @@ batadv_tt_global_orig_entry_add(struct batadv_tt_global_entry *tt_global,
86 * was added during a "temporary client detection"
88 orig_entry->ttvn = ttvn;
90 + orig_entry->flags = flags;
94 orig_entry = kmem_cache_zalloc(batadv_tt_orig_cache, GFP_ATOMIC);
95 @@ -1573,6 +1606,7 @@ batadv_tt_global_orig_entry_add(struct batadv_tt_global_entry *tt_global,
96 batadv_tt_global_size_inc(orig_node, tt_global->common.vid);
97 orig_entry->orig_node = orig_node;
98 orig_entry->ttvn = ttvn;
99 + orig_entry->flags = flags;
100 kref_init(&orig_entry->refcount);
102 spin_lock_bh(&tt_global->list_lock);
103 @@ -1582,6 +1616,8 @@ batadv_tt_global_orig_entry_add(struct batadv_tt_global_entry *tt_global,
104 spin_unlock_bh(&tt_global->list_lock);
105 atomic_inc(&tt_global->orig_list_count);
108 + batadv_tt_global_sync_flags(tt_global);
111 batadv_tt_orig_list_entry_put(orig_entry);
112 @@ -1703,10 +1739,10 @@ static bool batadv_tt_global_add(struct batadv_priv *bat_priv,
115 /* the change can carry possible "attribute" flags like the
116 - * TT_CLIENT_WIFI, therefore they have to be copied in the
117 + * TT_CLIENT_TEMP, therefore they have to be copied in the
120 - common->flags |= flags;
121 + common->flags |= flags & (~BATADV_TT_SYNC_MASK);
123 /* If there is the BATADV_TT_CLIENT_ROAM flag set, there is only
124 * one originator left in the list and we previously received a
125 @@ -1723,7 +1759,8 @@ static bool batadv_tt_global_add(struct batadv_priv *bat_priv,
128 /* add the new orig_entry (if needed) or update it */
129 - batadv_tt_global_orig_entry_add(tt_global_entry, orig_node, ttvn);
130 + batadv_tt_global_orig_entry_add(tt_global_entry, orig_node, ttvn,
131 + flags & BATADV_TT_SYNC_MASK);
133 batadv_dbg(BATADV_DBG_TT, bat_priv,
134 "Creating new global tt entry: %pM (vid: %d, via %pM)\n",
135 @@ -1946,6 +1983,7 @@ batadv_tt_global_dump_subentry(struct sk_buff *msg, u32 portid, u32 seq,
136 struct batadv_tt_orig_list_entry *orig,
139 + u16 flags = (common->flags & (~BATADV_TT_SYNC_MASK)) | orig->flags;
141 struct batadv_orig_node_vlan *vlan;
143 @@ -1975,7 +2013,7 @@ batadv_tt_global_dump_subentry(struct sk_buff *msg, u32 portid, u32 seq,
144 nla_put_u8(msg, BATADV_ATTR_TT_LAST_TTVN, last_ttvn) ||
145 nla_put_u32(msg, BATADV_ATTR_TT_CRC32, crc) ||
146 nla_put_u16(msg, BATADV_ATTR_TT_VID, common->vid) ||
147 - nla_put_u32(msg, BATADV_ATTR_TT_FLAGS, common->flags))
148 + nla_put_u32(msg, BATADV_ATTR_TT_FLAGS, flags))
149 goto nla_put_failure;
151 if (best && nla_put_flag(msg, BATADV_ATTR_FLAG_BEST))
152 @@ -2589,6 +2627,7 @@ static u32 batadv_tt_global_crc(struct batadv_priv *bat_priv,
155 struct batadv_hashtable *hash = bat_priv->tt.global_hash;
156 + struct batadv_tt_orig_list_entry *tt_orig;
157 struct batadv_tt_common_entry *tt_common;
158 struct batadv_tt_global_entry *tt_global;
159 struct hlist_head *head;
160 @@ -2627,8 +2666,9 @@ static u32 batadv_tt_global_crc(struct batadv_priv *bat_priv,
161 /* find out if this global entry is announced by this
164 - if (!batadv_tt_global_entry_has_orig(tt_global,
166 + tt_orig = batadv_tt_global_orig_entry_find(tt_global,
171 /* use network order to read the VID: this ensures that
172 @@ -2640,10 +2680,12 @@ static u32 batadv_tt_global_crc(struct batadv_priv *bat_priv,
173 /* compute the CRC on flags that have to be kept in sync
176 - flags = tt_common->flags & BATADV_TT_SYNC_MASK;
177 + flags = tt_orig->flags;
178 crc_tmp = crc32c(crc_tmp, &flags, sizeof(flags));
180 crc ^= crc32c(crc_tmp, tt_common->addr, ETH_ALEN);
182 + batadv_tt_orig_list_entry_put(tt_orig);
186 diff --git a/net/batman-adv/types.h b/net/batman-adv/types.h
187 index 5137d859694c28f60cad33325127617c047412ff..7c928938b22dcae681294700252c0ae74378f999 100644
188 --- a/net/batman-adv/types.h
189 +++ b/net/batman-adv/types.h
190 @@ -1262,6 +1262,7 @@ struct batadv_tt_global_entry {
191 * struct batadv_tt_orig_list_entry - orig node announcing a non-mesh client
192 * @orig_node: pointer to orig node announcing this non-mesh client
193 * @ttvn: translation table version number which added the non-mesh client
194 + * @flags: per orig entry TT sync flags
195 * @list: list node for batadv_tt_global_entry::orig_list
196 * @refcount: number of contexts the object is used
197 * @rcu: struct used for freeing in an RCU-safe manner
198 @@ -1269,6 +1270,7 @@ struct batadv_tt_global_entry {
199 struct batadv_tt_orig_list_entry {
200 struct batadv_orig_node *orig_node;
203 struct hlist_node list;
204 struct kref refcount;
projects / feed / routing.git / blob