1 files changed, 15 insertions, 5 deletions
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index d6b26862b34e..b542f14ed444 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -2349,6 +2349,16 @@ static int tipc_wait_for_connect(struct socket *sock, long *timeo_p)
        return 0;
 }
+static bool tipc_sockaddr_is_sane(struct sockaddr_tipc *addr)
+{
+        if (addr->family != AF_TIPC)
+                return false;
+        if (addr->addrtype == TIPC_SERVICE_RANGE)
+                return (addr->addr.nameseq.lower <= addr->addr.nameseq.upper);
+        return (addr->addrtype == TIPC_SERVICE_ADDR ||
+                addr->addrtype == TIPC_SOCKET_ADDR);
+}
 /**
 * tipc_connect - establish a connection to another TIPC port
 * @sock: socket structure
@@ -2384,18 +2394,18 @@ static int tipc_connect(struct socket *sock, struct sockaddr *dest,
                if (!tipc_sk_type_connectionless(sk))
                        res = -EINVAL;
                goto exit;
-        } else if (dst->family != AF_TIPC) {
-                res = -EINVAL;
        }
-        if (dst->addrtype != TIPC_ADDR_ID && dst->addrtype != TIPC_ADDR_NAME)
+        if (!tipc_sockaddr_is_sane(dst)) {
                res = -EINVAL;
-        if (res)
                goto exit;
+        }
        /* DGRAM/RDM connect(), just save the destaddr */
        if (tipc_sk_type_connectionless(sk)) {
                memcpy(&tsk->peer, dest, destlen);
                goto exit;
+        } else if (dst->addrtype == TIPC_SERVICE_RANGE) {
+                res = -EINVAL;
+                goto exit;
        }
        previous = sk->sk_state;

diff --git a/net/tipc/socket.c b/net/tipc/socket.c index d6b26862b34e..b542f14ed444 100644 --- a/net/tipc/socket.c +++ b/net/tipc/socket.c
@@ -2349,6 +2349,16 @@ static int tipc_wait_for_connect(struct socket sock, long timeo_p)
2349	return 0;	2349	return 0;
2350	}	2350	}
2351		2351
		2352	static bool tipc_sockaddr_is_sane(struct sockaddr_tipc *addr)
		2353	{
		2354	if (addr->family != AF_TIPC)
		2355	return false;
		2356	if (addr->addrtype == TIPC_SERVICE_RANGE)
		2357	return (addr->addr.nameseq.lower <= addr->addr.nameseq.upper);
		2358	return (addr->addrtype == TIPC_SERVICE_ADDR \|\|
		2359	addr->addrtype == TIPC_SOCKET_ADDR);
		2360	}
		2361
2352	/**	2362	/**
2353	* tipc_connect - establish a connection to another TIPC port	2363	* tipc_connect - establish a connection to another TIPC port
2354	* @sock: socket structure	2364	* @sock: socket structure
@@ -2384,18 +2394,18 @@ static int tipc_connect(struct socket sock, struct sockaddr dest,
2384	if (!tipc_sk_type_connectionless(sk))	2394	if (!tipc_sk_type_connectionless(sk))
2385	res = -EINVAL;	2395	res = -EINVAL;
2386	goto exit;	2396	goto exit;
2387	} else if (dst->family != AF_TIPC) {
2388	res = -EINVAL;
2389	}	2397	}
2390	if (dst->addrtype != TIPC_ADDR_ID && dst->addrtype != TIPC_ADDR_NAME)	2398	if (!tipc_sockaddr_is_sane(dst)) {
2391	res = -EINVAL;	2399	res = -EINVAL;
2392	if (res)
2393	goto exit;	2400	goto exit;
2394		2401	}
2395	/* DGRAM/RDM connect(), just save the destaddr */	2402	/* DGRAM/RDM connect(), just save the destaddr */
2396	if (tipc_sk_type_connectionless(sk)) {	2403	if (tipc_sk_type_connectionless(sk)) {
2397	memcpy(&tsk->peer, dest, destlen);	2404	memcpy(&tsk->peer, dest, destlen);
2398	goto exit;	2405	goto exit;
		2406	} else if (dst->addrtype == TIPC_SERVICE_RANGE) {
		2407	res = -EINVAL;
		2408	goto exit;
2399	}	2409	}
2400		2410
2401	previous = sk->sk_state;	2411	previous = sk->sk_state;