Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp3351034pxp;
        Mon, 14 Mar 2022 17:27:27 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJzI7/ndTVThoph/yMgCxNoLJl4+q91nXPwMak6X/9wOo/h6L95E95oKImhoFBuLylkQVP42
X-Received: by 2002:a17:902:d48a:b0:151:d1ab:4394 with SMTP id c10-20020a170902d48a00b00151d1ab4394mr25130960plg.83.1647304046978;
        Mon, 14 Mar 2022 17:27:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1647304046; cv=none;
        d=google.com; s=arc-20160816;
        b=nvqevig0wFY/DvRqEPRGQpeavQOEywazaOiJ1Cw/E+fB6pLFDqcM/lXZMmcgEFW2PG
         JtZ8putIVJtum7+f2jbWbpb53fJKVJyuuqtQOMVE13nX+rxYN4pzMyjJGboRdSiEyw6m
         xXR2VK8NxZgwWDq3DFG/zCCNKxeyzQxkcQP+viJZfy5PO/7H9bg8PL2dpePCUeQd/E4v
         h/BEBa1yniFOusfTqJ3p3quknL/l5mKxdyQBhK1yZ7TZVZKLMp9b4uVtQ34oU7paJrTS
         DVDrvVRpl8qgpNdoV4qCKcQXj6w5FnZrOn2BA4G/egZpY4KSKkvbWyRcrq51PkoxBdUd
         Q6gw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=NoBvBfRbT1D6/cbJLOJW1sCkir5zWldiAYpWIfkLbQg=;
        b=dog+tHcMB/WFADEun/aVuprWA2DWSN5WqSEJOazOElpU1lnAr1jqrnxfSX2yAtiCLw
         GogGBhjv5Jz6i5Vv0BhzzEgqzmvxQRE1dkLRRZD+wO34JvOy6cjE8UnNGg/nFuZZodah
         FYjx4iO7pUAkNQ1fcXOSW1KR/6ozoXfXlJUycj2mF91S+W85pqaPc/clAHLlb0WF7rLc
         w6jRtL7IN+n5QvUKOC8HtwdiHRWWf+VEVkEcxY2bKMiDDbsb+W3RQPVfNT80bY7wMp0V
         YmJ8+uDv3yrPZj6r8RPSnZl0JgBemU31PgCRM6z7AdDawk85R07wFjfE+m4hwSvZ1FUB
         BcHA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=jk9J4yh+;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id d18-20020a056a00199200b004f7af9ac802si7026142pfl.337.2022.03.14.17.27.13;
        Mon, 14 Mar 2022 17:27:26 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=jk9J4yh+;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S240242AbiCNMDv (ORCPT <rfc822;shakeebbk@gmail.com> + 99 others);
        Mon, 14 Mar 2022 08:03:51 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39392 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S240441AbiCNMCx (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 14 Mar 2022 08:02:53 -0400
Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B82211EC55;
        Mon, 14 Mar 2022 05:00:16 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by ams.source.kernel.org (Postfix) with ESMTPS id EDC56B80DF3;
        Mon, 14 Mar 2022 11:59:53 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id A7C6AC340E9;
        Mon, 14 Mar 2022 11:59:51 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1647259192;
        bh=TqKFtjgXN3ErMrPJUo3AQq/1Nc3i24dF1IcWtRKWD2U=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=jk9J4yh+LhdJXvu4+3z9+rSJJKE1ttwkvUGYd0ACm9F66VsFLrxI7gvhJ8yt+qSgJ
         dN7ZcqbxwhumGJA9aDsWAD4RgKFoNIleP6Tl2i21QG/CI0kkDc0vjZTF6y4YwV5IMf
         75/6aQBiJCMnnUEWqjennNqHmyoY3X/lI8Bisp+0=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Jon Maloy <jmaloy@redhat.com>,
        Tung Nguyen <tung.q.nguyen@dektech.com.au>,
        Jakub Kicinski <kuba@kernel.org>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 23/71] tipc: fix incorrect order of state message data sanity check
Date:   Mon, 14 Mar 2022 12:53:16 +0100
Message-Id: <20220314112738.582757933@linuxfoundation.org>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220314112737.929694832@linuxfoundation.org>
References: <20220314112737.929694832@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-8.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Tung Nguyen <tung.q.nguyen@dektech.com.au>

[ Upstream commit c79fcc27be90b308b3fa90811aefafdd4078668c ]

When receiving a state message, function tipc_link_validate_msg()
is called to validate its header portion. Then, its data portion
is validated before it can be accessed correctly. However, current
data sanity  check is done after the message header is accessed to
update some link variables.

This commit fixes this issue by moving the data sanity check to
the beginning of state message handling and right after the header
sanity check.

Fixes: 9aa422ad3266 ("tipc: improve size validations for received domain records")
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
Link: https://lore.kernel.org/r/20220308021200.9245-1-tung.q.nguyen@dektech.com.au
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/tipc/link.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/net/tipc/link.c b/net/tipc/link.c
index fb835a3822f4..7a353ff62844 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -2245,6 +2245,11 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
 		break;
 
 	case STATE_MSG:
+		/* Validate Gap ACK blocks, drop if invalid */
+		glen = tipc_get_gap_ack_blks(&ga, l, hdr, true);
+		if (glen > dlen)
+			break;
+
 		l->rcv_nxt_state = msg_seqno(hdr) + 1;
 
 		/* Update own tolerance if peer indicates a non-zero value */
@@ -2270,10 +2275,6 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
 			break;
 		}
 
-		/* Receive Gap ACK blocks from peer if any */
-		glen = tipc_get_gap_ack_blks(&ga, l, hdr, true);
-		if(glen > dlen)
-			break;
 		tipc_mon_rcv(l->net, data + glen, dlen - glen, l->addr,
 			     &l->mon_state, l->bearer_id);
 
-- 
2.34.1