Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp625562pxp; Wed, 16 Mar 2022 12:49:11 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz5zb3FH/dwwRUaJg7EMuD3T52uZ96qbWDeYrvrLqLdP9CO2XEJiZIJleBYpL63BnCZaZvT X-Received: by 2002:a62:7981:0:b0:4f7:9e4:96e4 with SMTP id u123-20020a627981000000b004f709e496e4mr951611pfc.4.1647460151197; Wed, 16 Mar 2022 12:49:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1647460151; cv=none; d=google.com; s=arc-20160816; b=bHdWOXM8xpZs01EyKS/0mZIJ3JNewavTUCCiVutKPXr2IM3p6E+NBHL+3r6+B5m8x4 vrdh6I6eInup9py68O4ju1jY5OLIL03AGP4yghgYKQTeu6cEcY3gxCQnQvg2hM3hpMfZ SmAgpzNgOD5skMUrD3hLdcQngP3d6Mn+58h7/nU3o6vlqiHjpA0J8Kmm4EQff+7bro2k JGCMloOBG0jzmzfXmnKyn55rPN2qNfyfvIKGEgCR3hb/aItZhrv1UMIhFkCHgA6nU+2t NuMMKRo6L9XDxae5zUYd6VgO7qZE7SmET1gdFT8rWWIwv0BfwqGtnEak/yIghL3Wm4ft U5Lg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=/OM4uuBB85ru9k2XyDdu6MtUGzaaDurW3J928EJtrW8=; b=l0SoM2Cj1JPeJ6WDvUAbwc4XcRO+VTUc8E15Dau1myyxWmHGsXMr+jyE5+P4g5z5dV iOODFuhAsNVM0/nUq5WFdn6ZgVSJtmDFPnOdkcfAcVgbeHBY3+w5AVml+f6IqhLN27GB AUwUaA+Z+pQN6DPYZOnuny4cyy4MxgsSCfToX1bhY77DBR3gvlFIWtUg0h6UrpHQPlhd VqfXUXhklMTS1eo+TnskkWeCYi8NYH9yh5HZR8Sz/JFYBf/XH8xQ5V6+y3YWMVR3OJvT hEOdw2cV/abBodXvRZGzQeDA/i9Ee5LobBiNZgq4NifhlxXyUz/01fg94h9gtmINyFTU DEZQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=qcgWxYdq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id a29-20020a634d1d000000b00381eef6368asi46459pgb.760.2022.03.16.12.48.57; Wed, 16 Mar 2022 12:49:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=qcgWxYdq; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241251AbiCNM0T (ORCPT + 99 others); Mon, 14 Mar 2022 08:26:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49864 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242407AbiCNMTA (ORCPT ); Mon, 14 Mar 2022 08:19:00 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D28E04D9ED; Mon, 14 Mar 2022 05:14:08 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 0EC1060B07; Mon, 14 Mar 2022 12:14:08 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A49B1C340EC; Mon, 14 Mar 2022 12:14:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1647260047; bh=dQE9AN0W3xhOOojm4d6cc0ZVs/VcgoMmZFSyfL9v3+8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qcgWxYdqd6vJdglzaxXKqYNY0CKazuwen7c8lDQZb36cMclFTLGonNAaMHXVEVdAS CGlbkIKSgcAxbo1minO5cLmz53QuCu1Ol5vH5wmc064qpeJwtIHS0CM9NflN4TFYgX u2vUSFmStnHPR6tNrr0qKAqCLh40jpBUCgdSGX1c= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jon Maloy , Tung Nguyen , Jakub Kicinski , Sasha Levin Subject: [PATCH 5.16 040/121] tipc: fix incorrect order of state message data sanity check Date: Mon, 14 Mar 2022 12:53:43 +0100 Message-Id: <20220314112745.247266147@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220314112744.120491875@linuxfoundation.org> References: <20220314112744.120491875@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-8.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Tung Nguyen [ Upstream commit c79fcc27be90b308b3fa90811aefafdd4078668c ] When receiving a state message, function tipc_link_validate_msg() is called to validate its header portion. Then, its data portion is validated before it can be accessed correctly. However, current data sanity check is done after the message header is accessed to update some link variables. This commit fixes this issue by moving the data sanity check to the beginning of state message handling and right after the header sanity check. Fixes: 9aa422ad3266 ("tipc: improve size validations for received domain records") Acked-by: Jon Maloy Signed-off-by: Tung Nguyen Link: https://lore.kernel.org/r/20220308021200.9245-1-tung.q.nguyen@dektech.com.au Signed-off-by: Jakub Kicinski Signed-off-by: Sasha Levin --- net/tipc/link.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/net/tipc/link.c b/net/tipc/link.c index 4e7936d9b442..115a4a7950f5 100644 --- a/net/tipc/link.c +++ b/net/tipc/link.c @@ -2285,6 +2285,11 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb, break; case STATE_MSG: + /* Validate Gap ACK blocks, drop if invalid */ + glen = tipc_get_gap_ack_blks(&ga, l, hdr, true); + if (glen > dlen) + break; + l->rcv_nxt_state = msg_seqno(hdr) + 1; /* Update own tolerance if peer indicates a non-zero value */ @@ -2310,10 +2315,6 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb, break; } - /* Receive Gap ACK blocks from peer if any */ - glen = tipc_get_gap_ack_blks(&ga, l, hdr, true); - if(glen > dlen) - break; tipc_mon_rcv(l->net, data + glen, dlen - glen, l->addr, &l->mon_state, l->bearer_id); -- 2.34.1