releases/4.9.172/tipc-check-link-name-with-right-length-in-tipc_nl_compat_link_set.patch

   1 From 8c63bf9ab4be8b83bd8c34aacfd2f1d2c8901c8a Mon Sep 17 00:00:00 2001
   2 From: Xin Long <lucien.xin@gmail.com>
   3 Date: Sun, 31 Mar 2019 22:50:09 +0800
   4 Subject: tipc: check link name with right length in tipc_nl_compat_link_set
   5
   6 From: Xin Long <lucien.xin@gmail.com>
   7
   8 commit 8c63bf9ab4be8b83bd8c34aacfd2f1d2c8901c8a upstream.
   9
  10 A similar issue as fixed by Patch "tipc: check bearer name with right
  11 length in tipc_nl_compat_bearer_enable" was also found by syzbot in
  12 tipc_nl_compat_link_set().
  13
  14 The length to check with should be 'TLV_GET_DATA_LEN(msg->req) -
  15 offsetof(struct tipc_link_config, name)'.
  16
  17 Reported-by: syzbot+de00a87b8644a582ae79@syzkaller.appspotmail.com
  18 Signed-off-by: Xin Long <lucien.xin@gmail.com>
  19 Signed-off-by: David S. Miller <davem@davemloft.net>
  20 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  21
  22 ---
  23  net/tipc/netlink_compat.c |    7 ++++++-
  24  1 file changed, 6 insertions(+), 1 deletion(-)
  25
  26 --- a/net/tipc/netlink_compat.c
  27 +++ b/net/tipc/netlink_compat.c
  28 @@ -768,7 +768,12 @@ static int tipc_nl_compat_link_set(struc
  29
  30         lc = (struct tipc_link_config *)TLV_DATA(msg->req);
  31
  32 -       len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME);
  33 +       len = TLV_GET_DATA_LEN(msg->req);
  34 +       len -= offsetof(struct tipc_link_config, name);
  35 +       if (len <= 0)
  36 +               return -EINVAL;
  37 +
  38 +       len = min_t(int, len, TIPC_MAX_LINK_NAME);
  39         if (!string_is_valid(lc->name, len))
  40                 return -EINVAL;
  41