| Message ID | a692a179-6f59-fdbb-9c49-e943677fce43@gmail.com |
|---|---|
| State | Rejected, archived |
| Delegated to: | David Miller |
| Headers | show |
From: Baozeng Ding <sploving1@gmail.com> Date: Fri, 10 Jun 2016 10:26:59 +0800 > Before calling the nla_data function, make sure the argument is not null. > Fix potential null pointer dereference vulnerability for this. > > Signed-off-by: Baozeng Ding <sploving1@gmail.com> TIPC maintainers, please review.
From: Erik Hugne <erik.hugne@gmail.com> Date: Sat, 11 Jun 2016 09:46:32 +0200 > On Jun 11, 2016 08:24, "David Miller" <davem@davemloft.net> wrote: >> >> From: Baozeng Ding <sploving1@gmail.com> >> Date: Fri, 10 Jun 2016 10:26:59 +0800 >> >> > Before calling the nla_data function, make sure the argument is not > null. >> > Fix potential null pointer dereference vulnerability for this. >> > >> > Signed-off-by: Baozeng Ding <sploving1@gmail.com> >> >> TIPC maintainers, please review. >> > > Nak, nlattrs does not come from userspace in the compat layer, it just > translates to the legacy TLV thing. > > //E This reply was done in a manner that the Message-ID got lost, therefore patchwork cannot associate your reply with the original patch posting and store it in the conversation attached to the patch. Please don't do that in the future, thanks.
diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c index f795b1d..efbba26 100644 --- a/net/tipc/netlink_compat.c +++ b/net/tipc/netlink_compat.c @@ -356,6 +356,9 @@ static int tipc_nl_compat_bearer_dump(struct tipc_nl_compat_msg *msg, if (err) return err; + if (!bearer[TIPC_NLA_BEARER_NAME]) + return -EINVAL; + return tipc_add_tlv(msg->rep, TIPC_TLV_BEARER_NAME, nla_data(bearer[TIPC_NLA_BEARER_NAME]), nla_len(bearer[TIPC_NLA_BEARER_NAME])); @@ -492,6 +495,9 @@ static int tipc_nl_compat_link_stat_dump(struct tipc_nl_compat_msg *msg, if (err) return err; + if (!link[TIPC_NLA_LINK_NAME]) + return -EINVAL; + name = (char *)TLV_DATA(msg->req); if (strcmp(name, nla_data(link[TIPC_NLA_LINK_NAME])) != 0) return 0; @@ -602,6 +608,9 @@ static int tipc_nl_compat_link_dump(struct tipc_nl_compat_msg *msg, if (err) return err; + if (!link[TIPC_NLA_LINK_NAME]) + return -EINVAL; + link_info.dest = nla_get_flag(link[TIPC_NLA_LINK_DEST]); link_info.up = htonl(nla_get_flag(link[TIPC_NLA_LINK_UP])); strcpy(link_info.str, nla_data(link[TIPC_NLA_LINK_NAME])); @@ -981,6 +990,9 @@ static int tipc_nl_compat_media_dump(struct tipc_nl_compat_msg *msg, if (err) return err; + if (!media[TIPC_NLA_MEDIA_NAME]) + return -EINVAL; + return tipc_add_tlv(msg->rep, TIPC_TLV_MEDIA_NAME, nla_data(media[TIPC_NLA_MEDIA_NAME]), nla_len(media[TIPC_NLA_MEDIA_NAME]));
Before calling the nla_data function, make sure the argument is not null. Fix potential null pointer dereference vulnerability for this. Signed-off-by: Baozeng Ding <sploving1@gmail.com> --- net/tipc/netlink_compat.c | 12 ++++++++++++ 1 file changed, 12 insertions(+)