Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp625562pxp;
        Wed, 16 Mar 2022 12:49:11 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJz5zb3FH/dwwRUaJg7EMuD3T52uZ96qbWDeYrvrLqLdP9CO2XEJiZIJleBYpL63BnCZaZvT
X-Received: by 2002:a62:7981:0:b0:4f7:9e4:96e4 with SMTP id u123-20020a627981000000b004f709e496e4mr951611pfc.4.1647460151197;
        Wed, 16 Mar 2022 12:49:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1647460151; cv=none;
        d=google.com; s=arc-20160816;
        b=bHdWOXM8xpZs01EyKS/0mZIJ3JNewavTUCCiVutKPXr2IM3p6E+NBHL+3r6+B5m8x4
         vrdh6I6eInup9py68O4ju1jY5OLIL03AGP4yghgYKQTeu6cEcY3gxCQnQvg2hM3hpMfZ
         SmAgpzNgOD5skMUrD3hLdcQngP3d6Mn+58h7/nU3o6vlqiHjpA0J8Kmm4EQff+7bro2k
         JGCMloOBG0jzmzfXmnKyn55rPN2qNfyfvIKGEgCR3hb/aItZhrv1UMIhFkCHgA6nU+2t
         NuMMKRo6L9XDxae5zUYd6VgO7qZE7SmET1gdFT8rWWIwv0BfwqGtnEak/yIghL3Wm4ft
         U5Lg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=/OM4uuBB85ru9k2XyDdu6MtUGzaaDurW3J928EJtrW8=;
        b=l0SoM2Cj1JPeJ6WDvUAbwc4XcRO+VTUc8E15Dau1myyxWmHGsXMr+jyE5+P4g5z5dV
         iOODFuhAsNVM0/nUq5WFdn6ZgVSJtmDFPnOdkcfAcVgbeHBY3+w5AVml+f6IqhLN27GB
         AUwUaA+Z+pQN6DPYZOnuny4cyy4MxgsSCfToX1bhY77DBR3gvlFIWtUg0h6UrpHQPlhd
         VqfXUXhklMTS1eo+TnskkWeCYi8NYH9yh5HZR8Sz/JFYBf/XH8xQ5V6+y3YWMVR3OJvT
         hEOdw2cV/abBodXvRZGzQeDA/i9Ee5LobBiNZgq4NifhlxXyUz/01fg94h9gtmINyFTU
         DEZQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=qcgWxYdq;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id a29-20020a634d1d000000b00381eef6368asi46459pgb.760.2022.03.16.12.48.57;
        Wed, 16 Mar 2022 12:49:11 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=qcgWxYdq;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S241251AbiCNM0T (ORCPT <rfc822;shakeebbk@gmail.com> + 99 others);
        Mon, 14 Mar 2022 08:26:19 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49864 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S242407AbiCNMTA (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 14 Mar 2022 08:19:00 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D28E04D9ED;
        Mon, 14 Mar 2022 05:14:08 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 0EC1060B07;
        Mon, 14 Mar 2022 12:14:08 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id A49B1C340EC;
        Mon, 14 Mar 2022 12:14:05 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1647260047;
        bh=dQE9AN0W3xhOOojm4d6cc0ZVs/VcgoMmZFSyfL9v3+8=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=qcgWxYdqd6vJdglzaxXKqYNY0CKazuwen7c8lDQZb36cMclFTLGonNAaMHXVEVdAS
         CGlbkIKSgcAxbo1minO5cLmz53QuCu1Ol5vH5wmc064qpeJwtIHS0CM9NflN4TFYgX
         u2vUSFmStnHPR6tNrr0qKAqCLh40jpBUCgdSGX1c=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Jon Maloy <jmaloy@redhat.com>,
        Tung Nguyen <tung.q.nguyen@dektech.com.au>,
        Jakub Kicinski <kuba@kernel.org>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.16 040/121] tipc: fix incorrect order of state message data sanity check
Date:   Mon, 14 Mar 2022 12:53:43 +0100
Message-Id: <20220314112745.247266147@linuxfoundation.org>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220314112744.120491875@linuxfoundation.org>
References: <20220314112744.120491875@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-8.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI,
        SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Tung Nguyen <tung.q.nguyen@dektech.com.au>

[ Upstream commit c79fcc27be90b308b3fa90811aefafdd4078668c ]

When receiving a state message, function tipc_link_validate_msg()
is called to validate its header portion. Then, its data portion
is validated before it can be accessed correctly. However, current
data sanity  check is done after the message header is accessed to
update some link variables.

This commit fixes this issue by moving the data sanity check to
the beginning of state message handling and right after the header
sanity check.

Fixes: 9aa422ad3266 ("tipc: improve size validations for received domain records")
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: Tung Nguyen <tung.q.nguyen@dektech.com.au>
Link: https://lore.kernel.org/r/20220308021200.9245-1-tung.q.nguyen@dektech.com.au
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/tipc/link.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/net/tipc/link.c b/net/tipc/link.c
index 4e7936d9b442..115a4a7950f5 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -2285,6 +2285,11 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
 		break;
 
 	case STATE_MSG:
+		/* Validate Gap ACK blocks, drop if invalid */
+		glen = tipc_get_gap_ack_blks(&ga, l, hdr, true);
+		if (glen > dlen)
+			break;
+
 		l->rcv_nxt_state = msg_seqno(hdr) + 1;
 
 		/* Update own tolerance if peer indicates a non-zero value */
@@ -2310,10 +2315,6 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
 			break;
 		}
 
-		/* Receive Gap ACK blocks from peer if any */
-		glen = tipc_get_gap_ack_blks(&ga, l, hdr, true);
-		if(glen > dlen)
-			break;
 		tipc_mon_rcv(l->net, data + glen, dlen - glen, l->addr,
 			     &l->mon_state, l->bearer_id);
 
-- 
2.34.1