]> git.baikalelectronics.ru Git - kernel.git/commitdiff
tipc: fix incorrect order of state message data sanity check
authorTung Nguyen <tung.q.nguyen@dektech.com.au>
Tue, 8 Mar 2022 02:11:59 +0000 (02:11 +0000)
committerJakub Kicinski <kuba@kernel.org>
Wed, 9 Mar 2022 06:18:42 +0000 (22:18 -0800)
When receiving a state message, function tipc_link_validate_msg()
is called to validate its header portion. Then, its data portion
is validated before it can be accessed correctly. However, current
data sanity  check is done after the message header is accessed to
update some link variables.

This commit fixes this issue by moving the data sanity check to
the beginning of state message handling and right after the header
sanity check.

Fixes: 893ed6a282b3 ("tipc: improve size validations for received domain records")
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
Link: https://lore.kernel.org/r/20220308021200.9245-1-tung.q.nguyen@dektech.com.au
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
net/tipc/link.c

index 1e14d7f8f28f1dc19d8b96b2b139cc8b6884048b..e260c0d557f5cfed3e5b54845261ccee066c7d2c 100644 (file)
@@ -2286,6 +2286,11 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
                break;
 
        case STATE_MSG:
+               /* Validate Gap ACK blocks, drop if invalid */
+               glen = tipc_get_gap_ack_blks(&ga, l, hdr, true);
+               if (glen > dlen)
+                       break;
+
                l->rcv_nxt_state = msg_seqno(hdr) + 1;
 
                /* Update own tolerance if peer indicates a non-zero value */
@@ -2311,10 +2316,6 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
                        break;
                }
 
-               /* Receive Gap ACK blocks from peer if any */
-               glen = tipc_get_gap_ack_blks(&ga, l, hdr, true);
-               if(glen > dlen)
-                       break;
                tipc_mon_rcv(l->net, data + glen, dlen - glen, l->addr,
                             &l->mon_state, l->bearer_id);