Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7ff0b608 authored by David S. Miller's avatar David S. Miller
Browse files

Merge branch 'tipc-a-batch-of-uninit-value-fixes-for-netlink_compat' 



Xin Long says:

====================
tipc: a batch of uninit-value fixes for netlink_compat

These issues were all reported by syzbot, and exist since very beginning.
See the details on each patch.
====================

Acked-by: default avatarJon Maloy <jon.maloy@ericsson.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents d3de85a5 2ac695d1

net/tipc/netlink_compat.c

+20 −4
Original line number Diff line number Diff line
@@ -267,8 +267,14 @@ static int tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd, 
	if (msg->rep_type)

		tipc_tlv_init(msg->rep, msg->rep_type);



	if (cmd->header)

		(*cmd->header)(msg);

	if (cmd->header) {

		err = (*cmd->header)(msg);

		if (err) {

			kfree_skb(msg->rep);

			msg->rep = NULL;

			return err;

		}

	}



	arg = nlmsg_new(0, GFP_KERNEL);

	if (!arg) {
@@ -397,7 +403,12 @@ static int tipc_nl_compat_bearer_enable(struct tipc_nl_compat_cmd_doit *cmd, 
	if (!bearer)

		return -EMSGSIZE;



	len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME);

	len = TLV_GET_DATA_LEN(msg->req);

	len -= offsetof(struct tipc_bearer_config, name);

	if (len <= 0)

		return -EINVAL;



	len = min_t(int, len, TIPC_MAX_BEARER_NAME);

	if (!string_is_valid(b->name, len))

		return -EINVAL;
@@ -766,7 +777,12 @@ static int tipc_nl_compat_link_set(struct tipc_nl_compat_cmd_doit *cmd, 


	lc = (struct tipc_link_config *)TLV_DATA(msg->req);



	len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME);

	len = TLV_GET_DATA_LEN(msg->req);

	len -= offsetof(struct tipc_link_config, name);

	if (len <= 0)

		return -EINVAL;



	len = min_t(int, len, TIPC_MAX_LINK_NAME);

	if (!string_is_valid(lc->name, len))

		return -EINVAL;