diff mbox series

[net,1/1] tipc: fix incorrect order of state message data sanity check

Message ID 20220308021200.9245-1-tung.q.nguyen@dektech.com.au (mailing list archive)
State Accepted
Commit c79fcc27be90b308b3fa90811aefafdd4078668c
Delegated to: Netdev Maintainers
Headers show
Series [net,1/1] tipc: fix incorrect order of state message data sanity check | expand

Checks

Context Check Description
netdev/tree_selection success Clearly marked for net
netdev/fixes_present success Fixes tag present in non-next series
netdev/subject_prefix success Link
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers fail 3 blamed authors not CCed: samuel.page@appgate.com edumazet@google.com lucien.xin@gmail.com; 3 maintainers not CCed: samuel.page@appgate.com edumazet@google.com lucien.xin@gmail.com
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 21 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Tung Quang Nguyen March 8, 2022, 2:11 a.m. UTC 
When receiving a state message, function tipc_link_validate_msg()
is called to validate its header portion. Then, its data portion
is validated before it can be accessed correctly. However, current
data sanity  check is done after the message header is accessed to
update some link variables.

This commit fixes this issue by moving the data sanity check to
the beginning of state message handling and right after the header
sanity check.

Fixes: 9aa422ad3266 ("tipc: improve size validations for received domain records")
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
---
 net/tipc/link.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

Comments

patchwork-bot+netdevbpf@kernel.org March 9, 2022, 6:30 a.m. UTC | #1 
Hello:

This patch was applied to netdev/net.git (master)
by Jakub Kicinski <kuba@kernel.org>:

On Tue,  8 Mar 2022 02:11:59 +0000 you wrote:
> When receiving a state message, function tipc_link_validate_msg()
> is called to validate its header portion. Then, its data portion
> is validated before it can be accessed correctly. However, current
> data sanity  check is done after the message header is accessed to
> update some link variables.
> 
> This commit fixes this issue by moving the data sanity check to
> the beginning of state message handling and right after the header
> sanity check.
> 
> [...]

Here is the summary with links:
  - [net,1/1] tipc: fix incorrect order of state message data sanity check
    https://git.kernel.org/netdev/net/c/c79fcc27be90

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/tipc/link.c b/net/tipc/link.c
index 1e14d7f8f28f..e260c0d557f5 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -2286,6 +2286,11 @@  static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
 		break;
 
 	case STATE_MSG:
+		/* Validate Gap ACK blocks, drop if invalid */
+		glen = tipc_get_gap_ack_blks(&ga, l, hdr, true);
+		if (glen > dlen)
+			break;
+
 		l->rcv_nxt_state = msg_seqno(hdr) + 1;
 
 		/* Update own tolerance if peer indicates a non-zero value */
@@ -2311,10 +2316,6 @@  static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
 			break;
 		}
 
-		/* Receive Gap ACK blocks from peer if any */
-		glen = tipc_get_gap_ack_blks(&ga, l, hdr, true);
-		if(glen > dlen)
-			break;
 		tipc_mon_rcv(l->net, data + glen, dlen - glen, l->addr,
 			     &l->mon_state, l->bearer_id);