tipc: improve size validations for received domain records

author Jon Maloy <jmaloy@redhat.com>

Mon, 14 Feb 2022 14:25:16 +0000 (11:25 -0300)

committer Andrea Righi <andrea.righi@canonical.com>

Tue, 22 Feb 2022 18:10:39 +0000 (19:10 +0100)
author Jon Maloy <jmaloy@redhat.com>
Mon, 14 Feb 2022 14:25:16 +0000 (11:25 -0300)
committer Andrea Righi <andrea.righi@canonical.com>
Tue, 22 Feb 2022 18:10:39 +0000 (19:10 +0100)
diff --git a/net/tipc/link.c b/net/tipc/link.c

index 09ae8448f394f738f434cf521503a43450615c95..4e7936d9b4424b127a1aed9b7fd25cda0587b443 100644 (file)
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -2199,7 +2199,7 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
         struct tipc_msg *hdr = buf_msg(skb);
         struct tipc_gap_ack_blks *ga = NULL;
         bool reply = msg_probe(hdr), retransmitted = false;
-       u16 dlen = msg_data_sz(hdr), glen = 0;
+       u32 dlen = msg_data_sz(hdr), glen = 0;
         u16 peers_snd_nxt =  msg_next_sent(hdr);
         u16 peers_tol = msg_link_tolerance(hdr);
         u16 peers_prio = msg_linkprio(hdr);
@@ -2213,6 +2213,10 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
         void *data;
  
         trace_tipc_proto_rcv(skb, false, l->name);
+
+       if (dlen > U16_MAX)
+               goto exit;
+
         if (tipc_link_is_blocked(l) || !xmitq)
                 goto exit;
  
@@ -2308,7 +2312,8 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
  
                 /* Receive Gap ACK blocks from peer if any */
                 glen = tipc_get_gap_ack_blks(&ga, l, hdr, true);
-
+               if(glen > dlen)
+                       break;
                 tipc_mon_rcv(l->net, data + glen, dlen - glen, l->addr,
                              &l->mon_state, l->bearer_id);
  
diff --git a/net/tipc/monitor.c b/net/tipc/monitor.c

index 407619697292f3f781c9dd6cb62aceaa762c7e29..2f4d23238a7e33a6ff22e87fca6ee0281040b338 100644 (file)
--- a/net/tipc/monitor.c
+++ b/net/tipc/monitor.c
@@ -496,6 +496,8 @@ void tipc_mon_rcv(struct net *net, void *data, u16 dlen, u32 addr,
         state->probing = false;
  
         /* Sanity check received domain record */
+       if (new_member_cnt > MAX_MON_DOMAIN)
+               return;
         if (dlen < dom_rec_len(arrv_dom, 0))
                 return;
         if (dlen != dom_rec_len(arrv_dom, new_member_cnt))
author	Jon Maloy <jmaloy@redhat.com>
	Mon, 14 Feb 2022 14:25:16 +0000 (11:25 -0300)
committer	Andrea Righi <andrea.righi@canonical.com>
	Tue, 22 Feb 2022 18:10:39 +0000 (19:10 +0100)
net/tipc/link.c		patch \| blob \| blame \| history
net/tipc/monitor.c		patch \| blob \| blame \| history