[thirdparty/kernel/stable-queue.git] / queue-4.4 / tipc-check-link-name-with-right-length-in-tipc_nl_compat_link_set.patch

From 8c63bf9ab4be8b83bd8c34aacfd2f1d2c8901c8a Mon Sep 17 00:00:00 2001
From: Xin Long <lucien.xin@gmail.com>
Date: Sun, 31 Mar 2019 22:50:09 +0800
Subject: tipc: check link name with right length in tipc_nl_compat_link_set

From: Xin Long <lucien.xin@gmail.com>

commit 8c63bf9ab4be8b83bd8c34aacfd2f1d2c8901c8a upstream.

A similar issue as fixed by Patch "tipc: check bearer name with right
length in tipc_nl_compat_bearer_enable" was also found by syzbot in
tipc_nl_compat_link_set().

The length to check with should be 'TLV_GET_DATA_LEN(msg->req) -
offsetof(struct tipc_link_config, name)'.

Reported-by: syzbot+de00a87b8644a582ae79@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/tipc/netlink_compat.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -738,7 +738,12 @@ static int tipc_nl_compat_link_set(struc
 
 	lc = (struct tipc_link_config *)TLV_DATA(msg->req);
 
-	len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME);
+	len = TLV_GET_DATA_LEN(msg->req);
+	len -= offsetof(struct tipc_link_config, name);
+	if (len <= 0)
+		return -EINVAL;
+
+	len = min_t(int, len, TIPC_MAX_LINK_NAME);
 	if (!string_is_valid(lc->name, len))
 		return -EINVAL;
Commit	Line	Data
9e4b7051 GKH	1	From 8c63bf9ab4be8b83bd8c34aacfd2f1d2c8901c8a Mon Sep 17 00:00:00 2001
	2	From: Xin Long <lucien.xin@gmail.com>
	3	Date: Sun, 31 Mar 2019 22:50:09 +0800
	4	Subject: tipc: check link name with right length in tipc_nl_compat_link_set
	5
	6	From: Xin Long <lucien.xin@gmail.com>
	7
	8	commit 8c63bf9ab4be8b83bd8c34aacfd2f1d2c8901c8a upstream.
	9
	10	A similar issue as fixed by Patch "tipc: check bearer name with right
	11	length in tipc_nl_compat_bearer_enable" was also found by syzbot in
	12	tipc_nl_compat_link_set().
	13
	14	The length to check with should be 'TLV_GET_DATA_LEN(msg->req) -
	15	offsetof(struct tipc_link_config, name)'.
	16
	17	Reported-by: syzbot+de00a87b8644a582ae79@syzkaller.appspotmail.com
	18	Signed-off-by: Xin Long <lucien.xin@gmail.com>
	19	Signed-off-by: David S. Miller <davem@davemloft.net>
	20	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	21
	22	---
	23	net/tipc/netlink_compat.c \| 7 ++++++-
	24	1 file changed, 6 insertions(+), 1 deletion(-)
	25
	26	--- a/net/tipc/netlink_compat.c
	27	+++ b/net/tipc/netlink_compat.c
	28	@@ -738,7 +738,12 @@ static int tipc_nl_compat_link_set(struc
	29
	30	lc = (struct tipc_link_config *)TLV_DATA(msg->req);
	31
	32	- len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME);
	33	+ len = TLV_GET_DATA_LEN(msg->req);
	34	+ len -= offsetof(struct tipc_link_config, name);
	35	+ if (len <= 0)
	36	+ return -EINVAL;
	37	+
	38	+ len = min_t(int, len, TIPC_MAX_LINK_NAME);
	39	if (!string_is_valid(lc->name, len))
	40	return -EINVAL;
	41