tipc: fix possible crash in __tipc_nl_net_set()

syzbot reported a crash in __tipc_nl_net_set() caused by NULL dereference.

We need to check that both TIPC_NLA_NET_NODEID and TIPC_NLA_NET_NODEID_W1
are present.

We also need to make sure userland provided u64 attributes.

Fixes: d50ccc2d3909 ("tipc: add 128-bit node identifier")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Jon Maloy <jon.maloy@ericsson.com>
Cc: Ying Xue <ying.xue@windriver.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

2 files changed, 4 insertions, 0 deletions

diff --git a/net/tipc/net.c b/net/tipc/net.c
index 856f9e97ea29..4fbaa0464405 100644
--- a/net/tipc/net.c
+++ b/net/tipc/net.c
@@ -252,6 +252,8 @@ int __tipc_nl_net_set(struct sk_buff *skb, struct genl_info *info)
                 u64 *w0 = (u64 *)&node_id[0];
                 u64 *w1 = (u64 *)&node_id[8];
 
+                if (!attrs[TIPC_NLA_NET_NODEID_W1])
+                        return -EINVAL;
                 *w0 = nla_get_u64(attrs[TIPC_NLA_NET_NODEID]);
                 *w1 = nla_get_u64(attrs[TIPC_NLA_NET_NODEID_W1]);
                 tipc_net_init(net, node_id, 0);
diff --git a/net/tipc/netlink.c b/net/tipc/netlink.c
index d4e0bbeee727..6ff2254088f6 100644
--- a/net/tipc/netlink.c
+++ b/net/tipc/netlink.c
@@ -81,6 +81,8 @@ const struct nla_policy tipc_nl_net_policy[TIPC_NLA_NET_MAX + 1] = {
         [TIPC_NLA_NET_UNSPEC]           = { .type = NLA_UNSPEC },
         [TIPC_NLA_NET_ID]               = { .type = NLA_U32 },
         [TIPC_NLA_NET_ADDR]             = { .type = NLA_U32 },
+        [TIPC_NLA_NET_NODEID]           = { .type = NLA_U64 },
+        [TIPC_NLA_NET_NODEID_W1]        = { .type = NLA_U64 },
 };
 
 const struct nla_policy tipc_nl_link_policy[TIPC_NLA_LINK_MAX + 1] = {