CVE-2026-52934

In the Linux kernel, the following vulnerability has been resolved:

batman-adv: tvlv: reject oversized TVLV packets

batadv tvlv container ogm append() builds a TVLV packet section from the tvlv.container list. The total size of this section is computed by batadv tvlv container list size(), which sums the sizes of all registered containers.

The return type and accumulator in batadv tvlv container list size() were u16. If the accumulated size exceeds U16 MAX, the value wraps around, causing the subsequent allocation in batadv tvlv container ogm append() to be undersized. The memcpy-style copy that follows would then write beyond the end of the allocated buffer, corrupting kernel memory.

Fix this by widening the return type of batadv tvlv container list size() to size t. In batadv tvlv container ogm append(), check the computed length against U16 MAX before proceeding, and bail out as if the allocation had failed when the limit is exceeded.