aboutsummaryrefslogtreecommitdiffstats
path: root/net/tipc
diff options
context:
space:
mode:
authorAllan Stephens <allan.stephens@windriver.com>2011-04-07 14:57:53 -0400
committerPaul Gortmaker <paul.gortmaker@windriver.com>2011-09-01 11:16:37 -0400
commit9f6bdcd4286145e812058e4111e906e9830514d8 (patch)
tree081570fcafbd5329c788b9ef46c5e1b8b306ba2a /net/tipc
parent693d03ae3c2bafd7caca1cf4ade9f23f107e33c1 (diff)
tipc: Discard incoming broadcast messages that are unexpected
Modifies TIPC's incoming broadcast packet handler to discard messages that cannot legally be sent over the broadcast link, including: - broadcast protocol messages that do no contain state information - payload messages that are not named multicast messages - any other form of message except for bundled messages, fragmented messages, and name distribution messages. These checks are needed to prevent TIPC from handing an unexpected message to a routine that isn't prepared to handle it, which could lead to incorrect processing (up to and including invalid memory references caused by attempts to access message fields that aren't present in the message). Signed-off-by: Allan Stephens <allan.stephens@windriver.com> Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
Diffstat (limited to 'net/tipc')
-rw-r--r--net/tipc/bcast.c13
1 files changed, 11 insertions, 2 deletions
diff --git a/net/tipc/bcast.c b/net/tipc/bcast.c
index 8d298526a5c1..bead28b5efff 100644
--- a/net/tipc/bcast.c
+++ b/net/tipc/bcast.c
@@ -39,6 +39,7 @@
39#include "link.h" 39#include "link.h"
40#include "port.h" 40#include "port.h"
41#include "bcast.h" 41#include "bcast.h"
42#include "name_distr.h"
42 43
43#define MAX_PKT_DEFAULT_MCAST 1500 /* bcast link max packet size (fixed) */ 44#define MAX_PKT_DEFAULT_MCAST 1500 /* bcast link max packet size (fixed) */
44 45
@@ -445,6 +446,8 @@ void tipc_bclink_recv_pkt(struct sk_buff *buf)
445 goto unlock; 446 goto unlock;
446 447
447 if (unlikely(msg_user(msg) == BCAST_PROTOCOL)) { 448 if (unlikely(msg_user(msg) == BCAST_PROTOCOL)) {
449 if (msg_type(msg) != STATE_MSG)
450 goto unlock;
448 if (msg_destnode(msg) == tipc_own_addr) { 451 if (msg_destnode(msg) == tipc_own_addr) {
449 tipc_bclink_acknowledge(node, msg_bcast_ack(msg)); 452 tipc_bclink_acknowledge(node, msg_bcast_ack(msg));
450 tipc_node_unlock(node); 453 tipc_node_unlock(node);
@@ -480,7 +483,10 @@ receive:
480 } 483 }
481 if (likely(msg_isdata(msg))) { 484 if (likely(msg_isdata(msg))) {
482 tipc_node_unlock(node); 485 tipc_node_unlock(node);
483 tipc_port_recv_mcast(buf, NULL); 486 if (likely(msg_mcast(msg)))
487 tipc_port_recv_mcast(buf, NULL);
488 else
489 buf_discard(buf);
484 } else if (msg_user(msg) == MSG_BUNDLER) { 490 } else if (msg_user(msg) == MSG_BUNDLER) {
485 bcl->stats.recv_bundles++; 491 bcl->stats.recv_bundles++;
486 bcl->stats.recv_bundled += msg_msgcnt(msg); 492 bcl->stats.recv_bundled += msg_msgcnt(msg);
@@ -493,9 +499,12 @@ receive:
493 bcl->stats.recv_fragmented++; 499 bcl->stats.recv_fragmented++;
494 tipc_node_unlock(node); 500 tipc_node_unlock(node);
495 tipc_net_route_msg(buf); 501 tipc_net_route_msg(buf);
502 } else if (msg_user(msg) == NAME_DISTRIBUTOR) {
503 tipc_node_unlock(node);
504 tipc_named_recv(buf);
496 } else { 505 } else {
497 tipc_node_unlock(node); 506 tipc_node_unlock(node);
498 tipc_net_route_msg(buf); 507 buf_discard(buf);
499 } 508 }
500 buf = NULL; 509 buf = NULL;
501 tipc_node_lock(node); 510 tipc_node_lock(node);