diff options
| author |   Erik Hugne <erik.hugne@ericsson.com> | 2014-04-28 08:20:09 +0200 |
|---|---|---|
| committer |   David S. Miller <davem@davemloft.net> | 2014-04-28 14:43:35 -0400 |
| commit | d7bb74c38cb3de40600dcbba50a4f84df290dc91 (patch) | |
| tree | c8c320eb97da04533e2c8e7f1e81bb4f3ee92376 /net/tipc | |
| parent | ctc: replace PTR_RET with PTR_ERR_OR_ZERO (diff) | |
| download | linux-dev-d7bb74c38cb3de40600dcbba50a4f84df290dc91.tar.xz linux-dev-d7bb74c38cb3de40600dcbba50a4f84df290dc91.zip | |
tipc: fix out of bounds indexing
Commit 78acb1f9b898e85fa2c1e28e700b54b66b288e8d ("tipc: add
ioctl to fetch link names") introduced a buffer overflow bug where
specially crafted ioctl requests could cause out-of-bounds indexing
of the node->links array. This was caused by an incorrect check vs
MAX_BEARERS, and the static code checker complaint is:
net/tipc/node.c:459 tipc_node_get_linkname() error: buffer overflow 'node->links' 2 <= 2
Signed-off-by: Erik Hugne <erik.hugne@ericsson.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/tipc')
| -rw-r--r-- | net/tipc/node.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/tipc/node.c b/net/tipc/node.c index 1f938f3dba4b..6d6543e88c2c 100644 --- a/net/tipc/node.c +++ b/net/tipc/node.c @@ -453,7 +453,7 @@ int tipc_node_get_linkname(u32 bearer_id, u32 addr, char *linkname, size_t len) struct tipc_link *link; struct tipc_node *node = tipc_node_find(addr); - if ((bearer_id > MAX_BEARERS) || !node) + if ((bearer_id >= MAX_BEARERS) || !node) return -EINVAL; tipc_node_lock(node); link = node->links[bearer_id]; |