Commit 7ff0b608 authored by David S. Miller's avatar David S. Miller

Merge branch 'tipc-a-batch-of-uninit-value-fixes-for-netlink_compat'

Xin Long says:

====================
tipc: a batch of uninit-value fixes for netlink_compat

These issues were all reported by syzbot, and exist since very beginning.
See the details on each patch.
====================
Acked-by: default avatarJon Maloy <jon.maloy@ericsson.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents d3de85a5 2ac695d1
...@@ -267,8 +267,14 @@ static int tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd, ...@@ -267,8 +267,14 @@ static int tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd,
if (msg->rep_type) if (msg->rep_type)
tipc_tlv_init(msg->rep, msg->rep_type); tipc_tlv_init(msg->rep, msg->rep_type);
if (cmd->header) if (cmd->header) {
(*cmd->header)(msg); err = (*cmd->header)(msg);
if (err) {
kfree_skb(msg->rep);
msg->rep = NULL;
return err;
}
}
arg = nlmsg_new(0, GFP_KERNEL); arg = nlmsg_new(0, GFP_KERNEL);
if (!arg) { if (!arg) {
...@@ -397,7 +403,12 @@ static int tipc_nl_compat_bearer_enable(struct tipc_nl_compat_cmd_doit *cmd, ...@@ -397,7 +403,12 @@ static int tipc_nl_compat_bearer_enable(struct tipc_nl_compat_cmd_doit *cmd,
if (!bearer) if (!bearer)
return -EMSGSIZE; return -EMSGSIZE;
len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_BEARER_NAME); len = TLV_GET_DATA_LEN(msg->req);
len -= offsetof(struct tipc_bearer_config, name);
if (len <= 0)
return -EINVAL;
len = min_t(int, len, TIPC_MAX_BEARER_NAME);
if (!string_is_valid(b->name, len)) if (!string_is_valid(b->name, len))
return -EINVAL; return -EINVAL;
...@@ -766,7 +777,12 @@ static int tipc_nl_compat_link_set(struct tipc_nl_compat_cmd_doit *cmd, ...@@ -766,7 +777,12 @@ static int tipc_nl_compat_link_set(struct tipc_nl_compat_cmd_doit *cmd,
lc = (struct tipc_link_config *)TLV_DATA(msg->req); lc = (struct tipc_link_config *)TLV_DATA(msg->req);
len = min_t(int, TLV_GET_DATA_LEN(msg->req), TIPC_MAX_LINK_NAME); len = TLV_GET_DATA_LEN(msg->req);
len -= offsetof(struct tipc_link_config, name);
if (len <= 0)
return -EINVAL;
len = min_t(int, len, TIPC_MAX_LINK_NAME);
if (!string_is_valid(lc->name, len)) if (!string_is_valid(lc->name, len))
return -EINVAL; return -EINVAL;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment