4 files changed, 31 insertions, 17 deletions
diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index 240ed70912d6..d78938e3e008 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -277,17 +277,23 @@ static u8 batadv_hop_penalty(u8 tq, const struct batadv_priv *bat_priv)
 * batadv_iv_ogm_aggr_packet() - checks if there is another OGM attached
 * @buff_pos: current position in the skb
 * @packet_len: total length of the skb
- * @tvlv_len: tvlv length of the previously considered OGM
+ * @ogm_packet: potential OGM in buffer
 *
 * Return: true if there is enough space for another OGM, false otherwise.
 */
-static bool batadv_iv_ogm_aggr_packet(int buff_pos, int packet_len,
+static bool
-                                      __be16 tvlv_len)
+batadv_iv_ogm_aggr_packet(int buff_pos, int packet_len,
+                          const struct batadv_ogm_packet *ogm_packet)
 {
        int next_buff_pos = 0;
-        next_buff_pos += buff_pos + BATADV_OGM_HLEN;
+        /* check if there is enough space for the header */
-        next_buff_pos += ntohs(tvlv_len);
+        next_buff_pos += buff_pos + sizeof(*ogm_packet);
+        if (next_buff_pos > packet_len)
+                return false;
+        /* check if there is enough space for the optional TVLV */
+        next_buff_pos += ntohs(ogm_packet->tvlv_len);
        return (next_buff_pos <= packet_len) &&
               (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES);
@@ -315,7 +321,7 @@ static void batadv_iv_ogm_send_to_if(struct batadv_forw_packet *forw_packet,
        /* adjust all flags and log packets */
        while (batadv_iv_ogm_aggr_packet(buff_pos, forw_packet->packet_len,
-                                         batadv_ogm_packet->tvlv_len)) {
+                                         batadv_ogm_packet)) {
                /* we might have aggregated direct link packets with an
                 * ordinary base packet
                 */
@@ -1704,7 +1710,7 @@ static int batadv_iv_ogm_receive(struct sk_buff *skb,
        /* unpack the aggregated packets and process them one by one */
        while (batadv_iv_ogm_aggr_packet(ogm_offset, skb_headlen(skb),
-                                         ogm_packet->tvlv_len)) {
+                                         ogm_packet)) {
                batadv_iv_ogm_process(skb, ogm_offset, if_incoming);
                ogm_offset += BATADV_OGM_HLEN;
diff --git a/net/batman-adv/bat_v_ogm.c b/net/batman-adv/bat_v_ogm.c
index fad95ef64e01..bc06e3cdfa84 100644
--- a/net/batman-adv/bat_v_ogm.c
+++ b/net/batman-adv/bat_v_ogm.c
@@ -631,17 +631,23 @@ batadv_v_ogm_process_per_outif(struct batadv_priv *bat_priv,
 * batadv_v_ogm_aggr_packet() - checks if there is another OGM aggregated
 * @buff_pos: current position in the skb
 * @packet_len: total length of the skb
- * @tvlv_len: tvlv length of the previously considered OGM
+ * @ogm2_packet: potential OGM2 in buffer
 *
 * Return: true if there is enough space for another OGM, false otherwise.
 */
-static bool batadv_v_ogm_aggr_packet(int buff_pos, int packet_len,
+static bool
-                                     __be16 tvlv_len)
+batadv_v_ogm_aggr_packet(int buff_pos, int packet_len,
+                         const struct batadv_ogm2_packet *ogm2_packet)
 {
        int next_buff_pos = 0;
-        next_buff_pos += buff_pos + BATADV_OGM2_HLEN;
+        /* check if there is enough space for the header */
-        next_buff_pos += ntohs(tvlv_len);
+        next_buff_pos += buff_pos + sizeof(*ogm2_packet);
+        if (next_buff_pos > packet_len)
+                return false;
+        /* check if there is enough space for the optional TVLV */
+        next_buff_pos += ntohs(ogm2_packet->tvlv_len);
        return (next_buff_pos <= packet_len) &&
               (next_buff_pos <= BATADV_MAX_AGGREGATION_BYTES);
@@ -818,7 +824,7 @@ int batadv_v_ogm_packet_recv(struct sk_buff *skb,
        ogm_packet = (struct batadv_ogm2_packet *)skb->data;
        while (batadv_v_ogm_aggr_packet(ogm_offset, skb_headlen(skb),
-                                        ogm_packet->tvlv_len)) {
+                                        ogm_packet)) {
                batadv_v_ogm_process(skb, ogm_offset, if_incoming);
                ogm_offset += BATADV_OGM2_HLEN;
diff --git a/net/batman-adv/multicast.c b/net/batman-adv/multicast.c
index 67d7f83009ae..1d5bdf3a4b65 100644
--- a/net/batman-adv/multicast.c
+++ b/net/batman-adv/multicast.c
@@ -2303,7 +2303,7 @@ __batadv_mcast_flags_dump(struct sk_buff *msg, u32 portid,
        while (bucket_tmp < hash->size) {
                if (batadv_mcast_flags_dump_bucket(msg, portid, cb, hash,
-                                                   *bucket, &idx_tmp))
+                                                   bucket_tmp, &idx_tmp))
                        break;
                bucket_tmp++;
@@ -2420,8 +2420,10 @@ void batadv_mcast_purge_orig(struct batadv_orig_node *orig)
        batadv_mcast_want_unsnoop_update(bat_priv, orig, BATADV_NO_FLAGS);
        batadv_mcast_want_ipv4_update(bat_priv, orig, BATADV_NO_FLAGS);
        batadv_mcast_want_ipv6_update(bat_priv, orig, BATADV_NO_FLAGS);
-        batadv_mcast_want_rtr4_update(bat_priv, orig, BATADV_NO_FLAGS);
+        batadv_mcast_want_rtr4_update(bat_priv, orig,
-        batadv_mcast_want_rtr6_update(bat_priv, orig, BATADV_NO_FLAGS);
+                                      BATADV_MCAST_WANT_NO_RTR4);
+        batadv_mcast_want_rtr6_update(bat_priv, orig,
+                                      BATADV_MCAST_WANT_NO_RTR6);
        spin_unlock_bh(&orig->mcast_handler_lock);
 }
diff --git a/net/batman-adv/netlink.c b/net/batman-adv/netlink.c
index 6f08fd122a8d..7e052d6f759b 100644
--- a/net/batman-adv/netlink.c
+++ b/net/batman-adv/netlink.c
@@ -164,7 +164,7 @@ batadv_netlink_get_ifindex(const struct nlmsghdr *nlh, int attrtype)
 {
        struct nlattr *attr = nlmsg_find_attr(nlh, GENL_HDRLEN, attrtype);
-        return attr ? nla_get_u32(attr) : 0;
+        return (attr && nla_len(attr) == sizeof(u32)) ? nla_get_u32(attr) : 0;
 }
 /**