Commit a0cb0faa authored Mar 31, 2019 by Xin Long Committed by Greg Kroah-Hartman May 02, 2019

tipc: check link name with right length in tipc_nl_compat_link_set



commit 8c63bf9ab4be8b83bd8c34aacfd2f1d2c8901c8a upstream.

A similar issue as fixed by Patch "tipc: check bearer name with right
length in tipc_nl_compat_bearer_enable" was also found by syzbot in
tipc_nl_compat_link_set().

The length to check with should be 'TLV_GET_DATA_LEN(msg->req) -
offsetof(struct tipc_link_config, name)'.

Reported-by:  <syzbot+de00a87b8644a582ae79@syzkaller.appspotmail.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

parent f21fae80

net/tipc/netlink_compat.c

+6 −1

Original line number	Diff line number	Diff line
		@@ -777,7 +777,12 @@ static int tipc_nl_compat_link_set(struct tipc_nl_compat_cmd_doit *cmd,

		lc = (struct tipc_link_config *)TLV_DATA(msg->req);

		len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME);
		len = TLV_GET_DATA_LEN(msg->req);
		len -= offsetof(struct tipc_link_config, name);
		if (len <= 0)
		return -EINVAL;

		len = min_t(int, len, TIPC_MAX_LINK_NAME);
		if (!string_is_valid(lc->name, len))
		return -EINVAL;