lisa/android_kernel_xiaomi_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

BACKPORT: tipc: fix incorrect order of state message data sanity check

Browse Source 
When receiving a state message, function tipc_link_validate_msg()
is called to validate its header portion. Then, its data portion
is validated before it can be accessed correctly. However, current
data sanity  check is done after the message header is accessed to
update some link variables.

This commit fixes this issue by moving the data sanity check to
the beginning of state message handling and right after the header
sanity check.

Bug: 254441685
Fixes: 9aa422ad3266 ("tipc: improve size validations for received domain records")
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
Link: https://lore.kernel.org/r/20220308021200.9245-1-tung.q.nguyen@dektech.com.au
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit c79fcc27be90b308b3fa90811aefafdd4078668c)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: If6cff72e268879445b388c957810263c59488718
This commit is contained in:
Tung Nguyen 2022-03-08 02:11:59 +00:00 committed by Lee Jones
parent c5f9da53b8
commit ef283814b2
1 changed files with 11 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
net/tipc/link.c
View File

@ -2033,6 +2033,17 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
break; break;
case STATE_MSG: case STATE_MSG:
/* Receive Gap ACK blocks from peer if any */
if (l->peer_caps & TIPC_GAP_ACK_BLOCK) {
ga = (struct tipc_gap_ack_blks *)data;
glen = ntohs(ga->len);
/* sanity check: if failed, ignore Gap ACK blocks */
if (glen != tipc_gap_ack_blks_sz(ga->gack_cnt))
ga = NULL;
}
if(glen > dlen)
break;
l->rcv_nxt_state = msg_seqno(hdr) + 1; l->rcv_nxt_state = msg_seqno(hdr) + 1;
/* Update own tolerance if peer indicates a non-zero value */ /* Update own tolerance if peer indicates a non-zero value */
@ -2058,16 +2069,6 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
break; break;
} }
/* Receive Gap ACK blocks from peer if any */
if (l->peer_caps & TIPC_GAP_ACK_BLOCK) {
ga = (struct tipc_gap_ack_blks *)data;
glen = ntohs(ga->len);
/* sanity check: if failed, ignore Gap ACK blocks */
if (glen != tipc_gap_ack_blks_sz(ga->gack_cnt))
ga = NULL;
}
if(glen > dlen)
break;
tipc_mon_rcv(l->net, data + glen, dlen - glen, l->addr, tipc_mon_rcv(l->net, data + glen, dlen - glen, l->addr,
&l->mon_state, l->bearer_id); &l->mon_state, l->bearer_id);