tipc: check nl sock before parsing nested attributes

Make sure the socket for which the user is listing publication exists
before parsing the socket netlink attributes.

Prior to this patch a call without any socket caused a NULL pointer
dereference in tipc_nl_publ_dump().

Tested-and-reported-by: Baozeng Ding <sploving1@gmail.com>
Signed-off-by: Richard Alpe <richard.alpe@ericsson.com>
Acked-by: Jon Maloy <jon.maloy@ericsson.cm>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 45e093ae2830cd1264677d47ff9a95a71f5d9f9c)
CVE-2016-4951
BugLink: https://bugs.launchpad.net/bugs/1585365
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>

diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index e53003cf7703af30f3eaaf0d904f339ce3c7e757..9b713e0ce00dbb79487e979337f449248cc78a51 100644 (file)
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -2814,6 +2814,9 @@ int tipc_nl_publ_dump(struct sk_buff *skb, struct netlink_callback *cb)
                if (err)
                        return err;
 
+               if (!attrs[TIPC_NLA_SOCK])
+                       return -EINVAL;
+
                err = nla_parse_nested(sock, TIPC_NLA_SOCK_MAX,
                                       attrs[TIPC_NLA_SOCK],
                                       tipc_nl_sock_policy);