diff options
| author | Xin Long <lucien.xin@gmail.com> | 2019-03-31 10:50:09 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2019-03-31 19:45:57 -0400 |
| commit | 8c63bf9ab4be8b83bd8c34aacfd2f1d2c8901c8a (patch) | |
| tree | 8904600a024d55772611363c2d7def30bbeaa612 /net/tipc | |
| parent | 6f07e5f06c8712acc423485f657799fc8e11e56c (diff) | |
tipc: check link name with right length in tipc_nl_compat_link_set
A similar issue as fixed by Patch "tipc: check bearer name with right
length in tipc_nl_compat_bearer_enable" was also found by syzbot in
tipc_nl_compat_link_set().
The length to check with should be 'TLV_GET_DATA_LEN(msg->req) -
offsetof(struct tipc_link_config, name)'.
Reported-by: syzbot+de00a87b8644a582ae79@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/tipc')
| -rw-r--r-- | net/tipc/netlink_compat.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c index 5f8e53cca222..0bfd03d67fdd 100644 --- a/net/tipc/netlink_compat.c +++ b/net/tipc/netlink_compat.c | |||
| @@ -771,7 +771,12 @@ static int tipc_nl_compat_link_set(struct tipc_nl_compat_cmd_doit *cmd, | |||
| 771 | 771 | ||
| 772 | lc = (struct tipc_link_config *)TLV_DATA(msg->req); | 772 | lc = (struct tipc_link_config *)TLV_DATA(msg->req); |
| 773 | 773 | ||
| 774 | len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME); | 774 | len = TLV_GET_DATA_LEN(msg->req); |
| 775 | len -= offsetof(struct tipc_link_config, name); | ||
| 776 | if (len <= 0) | ||
| 777 | return -EINVAL; | ||
| 778 | |||
| 779 | len = min_t(int, len, TIPC_MAX_LINK_NAME); | ||
| 775 | if (!string_is_valid(lc->name, len)) | 780 | if (!string_is_valid(lc->name, len)) |
| 776 | return -EINVAL; | 781 | return -EINVAL; |
| 777 | 782 | ||