Commit 335b929b authored Apr 12, 2018 by Jon Maloy Committed by David S. Miller Apr 12, 2018

tipc: fix missing initializer in tipc_sendmsg()



The stack variable 'dnode' in __tipc_sendmsg() may theoretically
end up tipc_node_get_mtu() as an unitilalized variable.

We fix this by intializing the variable at declaration. We also add
a default else clause to the two conditional ones already there, so
that we never end up in the named function if the given address
type is illegal.

Reported-by:  <syzbot+b0975ce9355b347c1546@syzkaller.appspotmail.com>
Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent 9d0c75bf

net/tipc/socket.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -1278,7 +1278,7 @@ static int __tipc_sendmsg(struct socket sock, struct msghdr m, size_t dlen)
		struct tipc_msg *hdr = &tsk->phdr;
		struct tipc_name_seq *seq;
		struct sk_buff_head pkts;
		u32 dnode, dport;
		u32 dport, dnode = 0;
		u32 type, inst;
		int mtu, rc;

		@@ -1348,6 +1348,8 @@ static int __tipc_sendmsg(struct socket sock, struct msghdr m, size_t dlen)
		msg_set_destnode(hdr, dnode);
		msg_set_destport(hdr, dest->addr.id.ref);
		msg_set_hdr_sz(hdr, BASIC_H_SIZE);
		} else {
		return -EINVAL;
		}

		/* Block or return if destination link is congested */