tipc: check link name with right length in tipc_nl_compat_link_set

commit 8c63bf9ab4be8b83bd8c34aacfd2f1d2c8901c8a upstream. A similar issue as fixed by Patch "tipc: check bearer name with right length in tipc_nl_compat_bearer_enable" was also found by syzbot in tipc_nl_compat_link_set(). The length to check with should be 'TLV_GET_DATA_LEN(msg->req) - offsetof(struct tipc_link_config, name)'. Reported-by: syzbot+de00a87b8644a582ae79@syzkaller.appspotmail.com Signed-off-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Xin Long <lucien.xin@gmail.com> 2019-03-31 17:50:09 +0300
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-05-02 10:58:57 +0300
commit: a0cb0faa15f3174ac0d1c5ca401ca80b4494b21d (patch)
tree: dcf84b81b4370f7ec4d9eb52af2ed64a16767d79
parent: f21fae8049cd50d3873db21762f75a7bf950f7d2 (diff)
download: linux-a0cb0faa15f3174ac0d1c5ca401ca80b4494b21d.tar.xz
1 files changed, 6 insertions, 1 deletions
diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
index d093964e6354..588d5aa14c41 100644
--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -777,7 +777,12 @@ static int tipc_nl_compat_link_set(struct tipc_nl_compat_cmd_doit *cmd,
 
 	lc = (struct tipc_link_config *)TLV_DATA(msg->req);
 
-	len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME);
+	len = TLV_GET_DATA_LEN(msg->req);
+	len -= offsetof(struct tipc_link_config, name);
+	if (len <= 0)
+		return -EINVAL;
+
+	len = min_t(int, len, TIPC_MAX_LINK_NAME);
 	if (!string_is_valid(lc->name, len))
 		return -EINVAL;
author	Xin Long <lucien.xin@gmail.com>	2019-03-31 17:50:09 +0300
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2019-05-02 10:58:57 +0300
commit	a0cb0faa15f3174ac0d1c5ca401ca80b4494b21d (patch)
tree	dcf84b81b4370f7ec4d9eb52af2ed64a16767d79
parent	f21fae8049cd50d3873db21762f75a7bf950f7d2 (diff)
download	linux-a0cb0faa15f3174ac0d1c5ca401ca80b4494b21d.tar.xz