From patchwork Tue Feb 16 09:47:07 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Sven Eckelmann <sven.eckelmann@open-mesh.com>
X-Patchwork-Id: 5079
X-Patchwork-Delegate: mareklindner@neomailbox.ch
Return-Path: <sven.eckelmann@open-mesh.com>
Received-SPF: Neutral (access neither permitted nor denied)
	identity=mailfrom;
	client-ip=74.125.82.41; helo=mail-wm0-f41.google.com;
	envelope-from=sven.eckelmann@open-mesh.com;
	receiver=b.a.t.m.a.n@lists.open-mesh.org
Authentication-Results: open-mesh.org; dmarc=none header.from=open-mesh.com
Authentication-Results: open-mesh.org; dkim=pass
	reason="2048-bit key; unprotected key"
	header.d=open-mesh-com.20150623.gappssmtp.com
	header.i=@open-mesh-com.20150623.gappssmtp.com
	header.b=Ycvg87t8; dkim-adsp=none (unprotected policy);
	dkim-atps=neutral
Received: from mail-wm0-f41.google.com (mail-wm0-f41.google.com
	[74.125.82.41])
	by open-mesh.org (Postfix) with ESMTPS id E761F81D6D
	for <b.a.t.m.a.n@lists.open-mesh.org>;
	Tue, 16 Feb 2016 10:47:26 +0100 (CET)
Received: by mail-wm0-f41.google.com with SMTP id g62so182965456wme.0
	for <b.a.t.m.a.n@lists.open-mesh.org>;
	Tue, 16 Feb 2016 01:47:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=open-mesh-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id;
	bh=1lbWE4YrPXnjwr4x8gSg1yJ49kptB5Z8Uh7uGmzO7VM=;
	b=Ycvg87t8Y89EcS9yKse8j0j5qAqQfnWqYgxGIsoo4dJoGTC1oRVMHO4dqtkPHvU6iS
	tJE7+rNIKQw6krOF2Wn+y07hzIwHT0a9dPh3cpFYSeHeCaKmwudwv8mjJpPaBHoDTTr7
	EfwDry66swthO7HE2aSNK44/nOAinqxUjvXxK/t18JCnbQr0e7NtBXiup44HKPEPBMa2
	v2Dfrry/6FlhB8xGSpkLMJlYGkzVmQSWl+bxd12tDP3K0t/bbFQ8ykn8yDtOWnRxAt4c
	QZjCvu8ki5coA+DvWbVltTqrc10vBucQNRLbMQryVABovn24jHndYD4p0jOereAtBs5E
	Y9Lw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=1lbWE4YrPXnjwr4x8gSg1yJ49kptB5Z8Uh7uGmzO7VM=;
	b=FxScFsk6GMucylcD0rM/pbZ2I6JmLkPZftg2s6godiL8X8x2oB6WbK0aw4n4nwxFRO
	vfNe/PPbE+yDBUqrkVQohbhBQATHS15Rkc9CXRH9hEcquZvp2PLtY1oSe3C4Ej1nZyeB
	ZgKlCiJXqfURulmL8bg9MrymkkQ6EgOrA0BscwpSyPw05py4aZFOJWNz29sAnd3Ib3qk
	UbosPinCDwZSyLVmeSZt1EmCw1xh+h0h83xRwsy4W3N+S7u+jpThQ9l2/X5vPpjCrmeV
	V5Nueg7lscb+iNrNwbxIpW0OWGayIxleQhp0KbA5Q+lrMCNJflyfew5+eocBT+t9hW2b
	BljA==
X-Gm-Message-State: 
 AG10YOTT+6hm/VuBd8ClrVJLRNg1709Otlj/8QcSjq6elaIXGBHZKCer22QGHU0DMMS9eUvr
X-Received: by 10.28.18.85 with SMTP id 82mr19085967wms.5.1455616046312;
	Tue, 16 Feb 2016 01:47:26 -0800 (PST)
Received: from sven-desktop.home.narfation.org (x4d065146.dyn.telefonica.de.
	[77.6.81.70]) by smtp.gmail.com with ESMTPSA id
	x6sm29417669wje.38.2016.02.16.01.47.25
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Tue, 16 Feb 2016 01:47:25 -0800 (PST)
From: Sven Eckelmann <sven.eckelmann@open-mesh.com>
X-Google-Original-From: Sven Eckelmann <sven@open-mesh.com>
To: b.a.t.m.a.n@lists.open-mesh.org
Date: Tue, 16 Feb 2016 10:47:07 +0100
Message-Id: <1455616027-22089-1-git-send-email-sven@open-mesh.com>
X-Mailer: git-send-email 2.7.0
Cc: Sven Eckelmann <sven.eckelmann@open-mesh.com>
Subject: [B.A.T.M.A.N.] [PATCH] batman-adv: Fix integer overflow in
	batadv_iv_ogm_calc_tq
X-BeenThere: b.a.t.m.a.n@lists.open-mesh.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: The list for a Better Approach To Mobile Ad-hoc Networking
	<b.a.t.m.a.n.lists.open-mesh.org>
List-Unsubscribe: <https://lists.open-mesh.org/mm/options/b.a.t.m.a.n>,
	<mailto:b.a.t.m.a.n-request@lists.open-mesh.org?subject=unsubscribe>
List-Archive: <http://lists.open-mesh.org/pipermail/b.a.t.m.a.n/>
List-Post: <mailto:b.a.t.m.a.n@lists.open-mesh.org>
List-Help: <mailto:b.a.t.m.a.n-request@lists.open-mesh.org?subject=help>
List-Subscribe: <https://lists.open-mesh.org/mm/listinfo/b.a.t.m.a.n>,
	<mailto:b.a.t.m.a.n-request@lists.open-mesh.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Feb 2016 09:47:27 -0000

From: Sven Eckelmann <sven.eckelmann@open-mesh.com>

The undefined behavior sanatizer detected an signed integer overflow in a
setup with near perfect link quality

    UBSAN: Undefined behaviour in net/batman-adv/bat_iv_ogm.c:1246:25
    signed integer overflow:
    8713350 * 255 cannot be represented in type 'int'

The problems happens because the calculation of mixed unsigned and signed
integers resulted in an integer multiplication.

      batadv_ogm_packet::tq (u8 255)
    * tq_own (u8 255)
    * tq_asym_penalty (int 134; max 255)
    * tq_iface_penalty (int 255; max 255)

The tq_iface_penalty, tq_asym_penalty and inv_asym_penalty can just be
changed to unsigned int because they are not expected to become negative.

Fixes: 46e44fdb96ef ("batman-adv: add WiFi penalty")
Signed-off-by: Sven Eckelmann <sven.eckelmann@open-mesh.com>
---
 net/batman-adv/bat_iv_ogm.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/batman-adv/bat_iv_ogm.c b/net/batman-adv/bat_iv_ogm.c
index cb2d1b9..b71b57e 100644
--- a/net/batman-adv/bat_iv_ogm.c
+++ b/net/batman-adv/bat_iv_ogm.c
@@ -1147,9 +1147,10 @@ static int batadv_iv_ogm_calc_tq(struct batadv_orig_node *orig_node,
 	u8 total_count;
 	u8 orig_eq_count, neigh_rq_count, neigh_rq_inv, tq_own;
 	unsigned int neigh_rq_inv_cube, neigh_rq_max_cube;
-	int tq_asym_penalty, inv_asym_penalty, if_num, ret = 0;
+	int if_num, ret = 0;
+	unsigned int tq_asym_penalty, inv_asym_penalty;
 	unsigned int combined_tq;
-	int tq_iface_penalty;
+	unsigned int tq_iface_penalty;
 
 	/* find corresponding one hop neighbor */
 	rcu_read_lock();